From 1d38142d798f3024a8b5282e25a7aa40e271cc03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 27 Mar 2019 20:18:09 +0100 Subject: [PATCH 1/4] implement first cis controls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- Gemfile | 14 ++++----- attributes/sec_policy.rb | 14 ++++++--- recipes/default.rb | 2 +- recipes/password_policy.rb | 31 ------------------- .../default/inspec/controls/tests.rb | 3 +- test/integration/default/inspec/inspec.yml | 2 +- 6 files changed, 20 insertions(+), 46 deletions(-) delete mode 100644 recipes/password_policy.rb diff --git a/Gemfile b/Gemfile index f5a0730..870edd9 100644 --- a/Gemfile +++ b/Gemfile @@ -1,21 +1,21 @@ source 'https://rubygems.org' -gem 'berkshelf', '~> 5.3' -gem 'chef', '~> 12.5' +gem 'berkshelf', '~> 7.0.8' +gem 'chef', '~> 14' group :test do - gem 'foodcritic', '~> 6.0' - gem 'highline', '~> 1.6.0' - gem 'rubocop', '~> 0.56.0' + gem 'foodcritic', '~> 15.1.0' + gem 'highline', '~> 1.6' + gem 'rubocop', '~> 0.66.0' end group :integration do - gem 'inspec', '~> 1' + gem 'inspec', '~> 3' gem 'kitchen-inspec' gem 'kitchen-vagrant' gem 'test-kitchen' end group :tools do - gem 'github_changelog_generator', '~> 1.12.0' + gem 'github_changelog_generator', '~> 1.14.3' end diff --git a/attributes/sec_policy.rb b/attributes/sec_policy.rb index c598f69..91ceb1a 100644 --- a/attributes/sec_policy.rb +++ b/attributes/sec_policy.rb @@ -5,10 +5,15 @@ # System access settings # Nil value means nothing will be written to the security policy template. -default['security_policy']['access']['PasswordComplexity'] = 1 -default['security_policy']['access']['LockoutBadCount'] = 3 -default['security_policy']['access']['ResetLockoutCount'] = 15 -default['security_policy']['access']['LockoutDuration'] = 15 +default['security_policy']['access']['PasswordHistorySize'] = 24 +default['security_policy']['access']['PasswordComplexity'] = 1 +default['security_policy']['access']['MinimumPasswordAge'] = 1 +default['security_policy']['access']['MaximumPasswordAge'] = 60 +default['security_policy']['access']['MinimumPasswordLength'] = 14 +default['security_policy']['access']['LockoutBadCount'] = 10 +default['security_policy']['access']['ResetLockoutCount'] = 15 +default['security_policy']['access']['LockoutDuration'] = 15 +default['security_policy']['access']['ClearTextPassword'] = 0 # Security policy rights / privileges settings. default['security_policy']['rights']['SeRemoteInteractiveLogonRight'] = '*S-1-5-32-544' @@ -16,3 +21,4 @@ default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-544' default['security_policy']['rights']['SeTrustedCredManAccessPrivilege'] = '' default['security_policy']['rights']['SeNetworkLogonRight'] = '' +default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-544' diff --git a/recipes/default.rb b/recipes/default.rb index d9ae29b..ba265ab 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -6,7 +6,7 @@ return unless node['platform_family'] == 'windows' -include_recipe 'windows-hardening::password_policy' +#include_recipe 'windows-hardening::password_policy' include_recipe 'windows-hardening::security_policy' include_recipe 'windows-hardening::user_rights' include_recipe 'windows-hardening::audit' diff --git a/recipes/password_policy.rb b/recipes/password_policy.rb deleted file mode 100644 index 82cac26..0000000 --- a/recipes/password_policy.rb +++ /dev/null @@ -1,31 +0,0 @@ -# -# Cookbook Name:: windows-hardening -# Recipe:: password_policy -# -# Copyright (c) 2018 The Authors, All Rights Reserved. - -return unless node['platform_family'] == 'windows' - -# Set Enforce password history to 24 or more passwords -# cis: enforce-password-history 1.1.1 -password_policy 'password_history' do - policy_command 'uniquepw' - value 24 - action :set -end - -# Set Minimum password age to 1 or more days -# cis: minimum-password-age 1.1.3 -password_policy 'password_age' do - policy_command 'minpwage' - value 1 - action :set -end - -# Set Minimum password length to 14 or more characters -# cis: minimum-password-length 1.1.4 -password_policy 'password_length' do - policy_command 'minpwlen' - value 14 - action :set -end diff --git a/test/integration/default/inspec/controls/tests.rb b/test/integration/default/inspec/controls/tests.rb index 1e31692..59d4765 100644 --- a/test/integration/default/inspec/controls/tests.rb +++ b/test/integration/default/inspec/controls/tests.rb @@ -1,6 +1,5 @@ include_controls 'windows-baseline' do # we need to skip the test to ensure we can connect with non-administrator # winrm user for our tests - skip_control 'cis-network-access-2.2.2' - skip_control 'windows-account-100' + attribute('se_network_logon_right', default: ['S-1-1-0', 'S-1-5-32-544', 'S-1-5-32-545', 'S-1-5-32-551']) end diff --git a/test/integration/default/inspec/inspec.yml b/test/integration/default/inspec/inspec.yml index db36649..73dbe5e 100644 --- a/test/integration/default/inspec/inspec.yml +++ b/test/integration/default/inspec/inspec.yml @@ -1,4 +1,4 @@ name: windows-hardening-integration-tests depends: - name: windows-baseline - url: https://github.com/dev-sec/windows-baseline + path: ../windows-baseline \ No newline at end of file From c85aaf6c4cd9d5f4741fcb4ac62890fb66812964 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Thu, 28 Mar 2019 14:39:44 +0100 Subject: [PATCH 2/4] implement until cis 2.3.2.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- .kitchen.yml | 5 + attributes/account.rb | 14 + attributes/default.rb | 6 + attributes/sec_policy.rb | 275 ++++++++++++++++-- recipes/accounts.rb | 95 ++++++ recipes/default.rb | 3 + recipes/devices.rb | 14 + resources/account_status.rb | 18 ++ resources/rename_account.rb | 18 ++ .../default/inspec/controls/tests.rb | 3 + 10 files changed, 434 insertions(+), 17 deletions(-) create mode 100644 attributes/account.rb create mode 100644 recipes/accounts.rb create mode 100644 recipes/devices.rb create mode 100644 resources/account_status.rb create mode 100644 resources/rename_account.rb diff --git a/.kitchen.yml b/.kitchen.yml index 67c3740..3fe35ea 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -26,6 +26,11 @@ suites: run_list: - recipe[windows-hardening::default] attributes: + account_status: + names: + - 'Guest' + rename_account: + admin_account: false security_policy: rights: SeNetworkLogonRight: '*S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551' diff --git a/attributes/account.rb b/attributes/account.rb new file mode 100644 index 0000000..38b0ed8 --- /dev/null +++ b/attributes/account.rb @@ -0,0 +1,14 @@ +# encoding: utf-8 + +# Cookbook Name:: windows-hardening +# Attributes:: account + +# define which accounts should be disabled +default['account_status']['names'] = ['Administrator', 'Guest'] +default['account_status']['active_yes_no'] = 'no' + +# define the new account names for Administrator and Guest +default['rename_account']['admin_account'] = true +default['rename_account']['guest_account'] = true +default['rename_account']['new_admin_name'] = 'CustomAdminName' +default['rename_account']['new_guest_name'] = 'CustomGuestName' diff --git a/attributes/default.rb b/attributes/default.rb index dc808a2..6bc1bea 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -6,3 +6,9 @@ # set this value if you want to harden terminal services default['windows_hardening']['rdp']['harden'] = true default['windows_hardening']['smbv1']['disable'] = true + +# apply MS or DC configuration, possible values MS or DC +default['default']['ms_or_dc'] = 'MS' + +# apply Level 1 or 2 configuration, possible values 1 or 2 +default['default']['level_1_or_2'] = 1 \ No newline at end of file diff --git a/attributes/sec_policy.rb b/attributes/sec_policy.rb index 91ceb1a..0b6fa6d 100644 --- a/attributes/sec_policy.rb +++ b/attributes/sec_policy.rb @@ -1,3 +1,8 @@ +# encoding: utf-8 + +# Cookbook Name:: windows-hardening +# Attributes:: security_policy + # General security policy settings default['security_policy']['template']['location'] = 'C:\Windows\security\templates' default['security_policy']['database']['location'] = 'C:\Windows\security\database' @@ -5,20 +10,256 @@ # System access settings # Nil value means nothing will be written to the security policy template. -default['security_policy']['access']['PasswordHistorySize'] = 24 -default['security_policy']['access']['PasswordComplexity'] = 1 -default['security_policy']['access']['MinimumPasswordAge'] = 1 -default['security_policy']['access']['MaximumPasswordAge'] = 60 -default['security_policy']['access']['MinimumPasswordLength'] = 14 -default['security_policy']['access']['LockoutBadCount'] = 10 -default['security_policy']['access']['ResetLockoutCount'] = 15 -default['security_policy']['access']['LockoutDuration'] = 15 -default['security_policy']['access']['ClearTextPassword'] = 0 - -# Security policy rights / privileges settings. -default['security_policy']['rights']['SeRemoteInteractiveLogonRight'] = '*S-1-5-32-544' -default['security_policy']['rights']['SeTcbPrivilege'] = '' -default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-544' -default['security_policy']['rights']['SeTrustedCredManAccessPrivilege'] = '' -default['security_policy']['rights']['SeNetworkLogonRight'] = '' -default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Enforce password history\' is set to \'24 or more password(s)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.1' +default['security_policy']['access']['PasswordHistorySize'] = 24 + +# Ensure \'Maximum password age\' is set to \'60 or fewer days, but not 0\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.2' +default['security_policy']['access']['MaximumPasswordAge'] = 60 + +# Ensure \'Minimum password age\' is set to \'1 or more day(s)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.3' +default['security_policy']['access']['MinimumPasswordAge'] = 1 + +# Ensure \'Minimum password length\' is set to \'14 or more character(s)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.4' +default['security_policy']['access']['MinimumPasswordLength'] = 14 + +# Ensure \'Password must meet complexity requirements\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.5' +default['security_policy']['access']['PasswordComplexity'] = 1 + +# Ensure \'Store passwords using reversible encryption\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.6' +default['security_policy']['access']['ClearTextPassword'] = 0 + +# Ensure \'Account lockout duration\' is set to \'15 or more minute(s)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.2.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.2.1' +default['security_policy']['access']['LockoutDuration'] = 15 + +# Ensure \'Account lockout threshold\' is set to \'10 or fewer invalid logon attempt(s), but not 0\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.2.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.2.2' +default['security_policy']['access']['LockoutBadCount'] = 10 + +# Ensure \'Reset account lockout counter after\' is set to \'15 or more minute(s)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.2.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.2.3' +default['security_policy']['access']['ResetLockoutCount'] = 15 + +# Ensure \'Access Credential Manager as a trusted caller\' is set to \'No One\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.1' +default['security_policy']['rights']['SeTrustedCredManAccessPrivilege'] = '' + +# Configure \'Access this computer from the network\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': ['2.2.2', '2.2.3'] +default['security_policy']['rights']['SeNetworkLogonRight'] = '' + +# Ensure \'Act as part of the operating system\' is set to \'No One\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.4' +default['security_policy']['rights']['SeTcbPrivilege'] = '' + +# Ensure \'Add workstations to domain\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.5' +default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Adjust memory quotas for a process\' is set to \'Administrators, LOCAL SERVICE, NETWORK SERVICE\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.6' +default['security_policy']['rights']['SeIncreaseQuotaPrivilege'] = '*S-1-5-19, *S-1-5-20, *S-1-5-32-544' + +# Ensure \'Allow log on locally\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.7' +default['security_policy']['rights']['SeInteractiveLogonRight'] = '*S-1-5-9, *S-1-5-32-544' + +# Configure \'Allow log on through Remote Desktop Services\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.7' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': ['2.2.8', '2.2.9'] +default['security_policy']['rights']['SeRemoteInteractiveLogonRight'] = '*S-1-5-32-544' + +# Ensure \'Back up files and directories\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.8' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.10' +default['security_policy']['rights']['SeBackupPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Change the system time\' is set to \'Administrators, LOCAL SERVICE\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.9' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.11' +# Ensure \'Change the time zone\' is set to \'Administrators, LOCAL SERVICE\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.10' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.12' +default['security_policy']['rights']['SeSystemtimePrivilege'] = '*S-1-5-19, *S-1-5-32-544' + +# Ensure \'Create a pagefile\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.11' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.13' +default['security_policy']['rights']['SeCreatePagefilePrivilege'] = '*S-1-5-32-544' + +# Ensure \'Create a token object\' is set to \'No One\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.12' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.14' +default['security_policy']['rights']['SeCreateTokenPrivilege'] = '' + +# Ensure \'Create global objects\' is set to \'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.13' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.15' +default['security_policy']['rights']['SeCreateGlobalPrivilege'] = '*S-1-5-19, *S-1-5-20, *S-1-5-32-544, *S-1-5-6' + +# Ensure \'Create permanent shared objects\' is set to \'No One\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.14' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.16' +default['security_policy']['rights']['SeCreatePermanentPrivilege'] = '' + +# Ensure \'Create symbolic links\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.15' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': ['2.2.17', '2.2.18'] +default['security_policy']['rights']['SeCreateSymbolicLinkPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Debug programs\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.16' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.19' +default['security_policy']['rights']['SeDebugPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Deny access to this computer from the network\' is set to \'Guests\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.17' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': ['2.2.20', '2.2.21'] +default['security_policy']['rights']['SeDenyNetworkLogonRight'] = '*S-1-5-32-546' + +# Ensure \'Deny log on as a batch job\' to include \'Guests\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.18' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.22' +default['security_policy']['rights']['SeDenyServiceLogonRight'] = '*S-1-5-32-546' + +# Ensure \'Deny log on as a service\' to include \'Guests\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.19' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.23' +default['security_policy']['rights']['SeDenyInteractiveLogonRight'] = '*S-1-5-32-546' + +# Ensure \'Deny log on locally\' to include \'Guests\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.20' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.24' +default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-546' + +# Configure \'Deny log on through Remote Desktop Services\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.21' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': ['2.2.25', '2.2.26'] +default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-546' + +# Configure \'Enable computer and user accounts to be trusted for delegation\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.22' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': ['2.2.27', '2.2.28'] +default['security_policy']['rights']['SeEnableDelegationPrivilege'] = '' + +# Ensure \'Force shutdown from a remote system\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.23' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.29' +default['security_policy']['rights']['SeRemoteShutdownPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Generate security audits\' is set to \'LOCAL SERVICE, NETWORK SERVICE\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.24' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.30' +default['security_policy']['rights']['SeAuditPrivilege'] = '*S-1-5-19, *S-1-5-20' + +# Configure \'Impersonate a client after authentication\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.25' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': ['2.2.31', '2.2.32'] +default['security_policy']['rights']['SeImpersonatePrivilege'] = '*S-1-5-19, *S-1-5-20, *S-1-5-32-544, *S-1-5-6' + +# Ensure \'Increase scheduling priority\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.26' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.33' +default['security_policy']['rights']['SeIncreaseBasePriorityPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Load and unload device drivers\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.27' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.34' +default['security_policy']['rights']['SeLoadDriverPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Lock pages in memory\' is set to \'No One\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.28' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.35' +default['security_policy']['rights']['SeLockMemoryPrivilege'] = '' + +# Ensure \'Log on as a batch job\' is set to \'Administrators\' (DC only) +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.29' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.36' +if ((node['default']['ms_or_dc'] == 'DC') && (node['default']['level_1_or_2'] == 2)) + default['security_policy']['rights']['SeBatchLogonRight'] = '*S-1-5-32-544, *S-1-5-32-551' +end + +# Configure \'Manage auditing and security log\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.30' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.38' +default['security_policy']['rights']['SeSecurityPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Modify an object label\' is set to \'No One\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.31' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.39' +default['security_policy']['rights']['SeRelabelPrivilege'] = '' + +# Ensure \'Modify firmware environment values\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.32' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.40' +default['security_policy']['rights']['SeSystemEnvironmentPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Perform volume maintenance tasks\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.33' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.41' +default['security_policy']['rights']['SeManageVolumePrivilege'] = '*S-1-5-32-544' + +# Ensure \'Profile single process\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.34' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.42' +default['security_policy']['rights']['SeProfileSingleProcessPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Profile system performance\' is set to \'Administrators, NT SERVICE\WdiServiceHost\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.35' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.43' +default['security_policy']['rights']['SeSystemProfilePrivilege'] = '*S-1-5-32-544, *S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420' + +# Ensure \'Replace a process level token\' is set to \'LOCAL SERVICE, NETWORK SERVICE\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.36' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.44' +default['security_policy']['rights']['SeAssignPrimaryTokenPrivilege'] = '*S-1-5-19, *S-1-5-20' + +# Ensure \'Restore files and directories\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.37' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.45' +default['security_policy']['rights']['SeRestorePrivilege'] = '*S-1-5-32-544' + +# Ensure \'Shut down the system\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.38' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.46' +default['security_policy']['rights']['SeShutdownPrivilege'] = '*S-1-5-32-544' + +# Ensure \'Synchronize directory service data\' is set to \'No One\' (DC only) +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.39' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.47' +if node['default']['ms_or_dc'] == 'DC' + default['security_policy']['rights']['SeSyncAgentPrivilege'] = '' +end + +# Ensure \'Take ownership of files or other objects\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.40' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.48' +default['security_policy']['rights']['SeTakeOwnershipPrivilege'] = '*S-1-5-32-544' + +# + + + +default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-544' diff --git a/recipes/accounts.rb b/recipes/accounts.rb new file mode 100644 index 0000000..73f85d4 --- /dev/null +++ b/recipes/accounts.rb @@ -0,0 +1,95 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: account_status +# +# Copyright (c) 2019 The Authors, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + +# Ensure \'Accounts: Administrator account status\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.1' +# Ensure \'Accounts: Guest account status\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.3' +node['account_status']['names'].each do |name| + account_status "disable #{name} account" do + account_name name + value node['account_status']['active_yes_no'] + action :set + end +end + +# Ensure \'Accounts: Block Microsoft accounts\' is set to \'Users can\'t add or log on with Microsoft accounts\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.2' +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' do + values [{ + name: 'NoConnectedUser', + type: :dword, + data: 3 + }] + action :create + recursive true +end + +# Ensure \'Accounts: Limit local account use of blank passwords to console logon only\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.4' +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do + values [{ + name: 'LimitBlankPasswordUse', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Configure \'Accounts: Rename administrator account\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.5' +if node['rename_account']['admin_account'] == true + rename_account "rename Administrator name to #{node['rename_account']['new_admin_name']} account" do + original_name 'Administrator' + new_name node['rename_account']['new_admin_name'] + action :set + end +end + +# Configure \'Accounts: Rename guest account\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.6' +if node['rename_account']['guest_account'] == true + rename_account "rename Guest name to #{node['rename_account']['new_guest_name']} account" do + original_name 'Guest' + new_name node['rename_account']['new_guest_name'] + action :set + end +end + +# Ensure \'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.2.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.2.1' +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do + values [{ + name: 'SCENoApplyLegacyAuditPolicy', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Audit: Shut down system immediately if unable to log security audits\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.2.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.2.2' +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do + values [{ + name: 'CrashOnAuditFail', + type: :dword, + data: 0 + }] + action :create + recursive true +end diff --git a/recipes/default.rb b/recipes/default.rb index ba265ab..467a90a 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -7,7 +7,10 @@ return unless node['platform_family'] == 'windows' #include_recipe 'windows-hardening::password_policy' +include_recipe 'windows-hardening::accounts' include_recipe 'windows-hardening::security_policy' +include_recipe 'windows-hardening::devices' + include_recipe 'windows-hardening::user_rights' include_recipe 'windows-hardening::audit' include_recipe 'windows-hardening::ie' diff --git a/recipes/devices.rb b/recipes/devices.rb new file mode 100644 index 0000000..3bc3bc7 --- /dev/null +++ b/recipes/devices.rb @@ -0,0 +1,14 @@ +# Ensure \'Devices: Allowed to format and eject removable media\' is set to \'Administrators\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.4.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.4.1' +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' do + values [{ + name: 'AllocateDASD', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# diff --git a/resources/account_status.rb b/resources/account_status.rb new file mode 100644 index 0000000..8e86fce --- /dev/null +++ b/resources/account_status.rb @@ -0,0 +1,18 @@ +resource_name :account_status + +property :account_status_name, String, name_property: true +property :account_name, String, required: true +property :value, String, required: true + +action :set do + execute new_resource.account_status_name do + command "net user #{new_resource.account_name} /active:#{new_resource.value}" + action :run + not_if { ::File.exist?("C:\\#{new_resource.account_name}_active_#{node['account_status']['active_yes_no']}.lock") } + notifies :create, "file[C:\\#{new_resource.account_name}_active_#{node['account_status']['active_yes_no']}.lock]", :immediately + end + + file "C:\\#{new_resource.account_name}_active_#{node['account_status']['active_yes_no']}.lock" do + action :create + end +end \ No newline at end of file diff --git a/resources/rename_account.rb b/resources/rename_account.rb new file mode 100644 index 0000000..cdab02c --- /dev/null +++ b/resources/rename_account.rb @@ -0,0 +1,18 @@ +resource_name :rename_account + +property :rename_account_name, String, name_property: true +property :original_name, String, required: true +property :new_name, String, required: true + +action :set do + execute new_resource.rename_account_name do + command "wmic useraccount where name=\'#{new_resource.original_name}\' call rename name=\'#{new_resource.new_name}\'" + action :run + not_if { ::File.exist?("C:\\rename_#{new_resource.original_name}.lock") } + notifies :create, "file[C:\\rename_#{new_resource.original_name}.lock]", :immediately + end + + file "C:\\rename_#{new_resource.original_name}.lock" do + action :create + end +end \ No newline at end of file diff --git a/test/integration/default/inspec/controls/tests.rb b/test/integration/default/inspec/controls/tests.rb index 59d4765..887bc8d 100644 --- a/test/integration/default/inspec/controls/tests.rb +++ b/test/integration/default/inspec/controls/tests.rb @@ -2,4 +2,7 @@ # we need to skip the test to ensure we can connect with non-administrator # winrm user for our tests attribute('se_network_logon_right', default: ['S-1-1-0', 'S-1-5-32-544', 'S-1-5-32-545', 'S-1-5-32-551']) + attribute('se_interactive_logon_right', default: ['S-1-5-32-544', 'S-1-5-9']) + attribute('se_remote_interactive_logon_right', default: ['S-1-1-0', 'S-1-5-32-544', 'S-1-5-32-545', 'S-1-5-32-551']) + end From 6830f1dbbf763d4c57b74cafcbe5ffad0667b3a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Tue, 14 May 2019 20:32:22 +0200 Subject: [PATCH 3/4] add attributes for cis implementation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- attributes/account.rb | 2 +- attributes/default.rb | 4 ++-- attributes/firewall.rb | 14 ++++++++++++++ attributes/interactive_login.rb | 8 ++++++++ attributes/sec_policy.rb | 26 +++++++++++--------------- 5 files changed, 36 insertions(+), 18 deletions(-) create mode 100644 attributes/firewall.rb create mode 100644 attributes/interactive_login.rb diff --git a/attributes/account.rb b/attributes/account.rb index 38b0ed8..7b93f88 100644 --- a/attributes/account.rb +++ b/attributes/account.rb @@ -4,7 +4,7 @@ # Attributes:: account # define which accounts should be disabled -default['account_status']['names'] = ['Administrator', 'Guest'] +default['account_status']['names'] = %w[Administrator Guest] default['account_status']['active_yes_no'] = 'no' # define the new account names for Administrator and Guest diff --git a/attributes/default.rb b/attributes/default.rb index 6bc1bea..eb93ca6 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -8,7 +8,7 @@ default['windows_hardening']['smbv1']['disable'] = true # apply MS or DC configuration, possible values MS or DC -default['default']['ms_or_dc'] = 'MS' +default['windows_hardening']['ms_or_dc'] = 'MS' # apply Level 1 or 2 configuration, possible values 1 or 2 -default['default']['level_1_or_2'] = 1 \ No newline at end of file +default['windows_hardening']['level_1_or_2'] = 1 diff --git a/attributes/firewall.rb b/attributes/firewall.rb new file mode 100644 index 0000000..9d51585 --- /dev/null +++ b/attributes/firewall.rb @@ -0,0 +1,14 @@ +# encoding: utf-8 + +# Cookbook Name:: windows-hardening +# Attributes:: firewall + +# set this value if you want to activate Firewall +default['firewall']['activate'] = false + +# set this value if you want to add firewall rules +default['firewall']['rules_on'] = false + +# add some simply firewall rule, but it is recommended to apply this with an overlay cookbook +# its an array of hashes like, [{'name':'rdp','local_port': 3389,'protocol': 'TCP', 'action': 'allow'},{'name':'winrm','local_port': 5985,'protocol': 'TCP', 'action': 'allow'}] +default['firwall']['rules'] = [] diff --git a/attributes/interactive_login.rb b/attributes/interactive_login.rb new file mode 100644 index 0000000..932cd5b --- /dev/null +++ b/attributes/interactive_login.rb @@ -0,0 +1,8 @@ +# encoding: utf-8 + +# Cookbook Name:: windows-hardening +# Attributes:: interactive_login + +# set this value if you want to harden terminal services +default['interactive_login']['LegalNoticeText'] = '' +default['interactive_login']['LegalNoticeCaption'] = '' diff --git a/attributes/sec_policy.rb b/attributes/sec_policy.rb index 0b6fa6d..7c70918 100644 --- a/attributes/sec_policy.rb +++ b/attributes/sec_policy.rb @@ -142,22 +142,22 @@ # Ensure \'Deny log on as a batch job\' to include \'Guests\' # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.18' # tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.22' -default['security_policy']['rights']['SeDenyServiceLogonRight'] = '*S-1-5-32-546' +default['security_policy']['rights']['SeDenyBatchLogonRight'] = '*S-1-5-32-546' # Ensure \'Deny log on as a service\' to include \'Guests\' # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.19' # tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.23' -default['security_policy']['rights']['SeDenyInteractiveLogonRight'] = '*S-1-5-32-546' +default['security_policy']['rights']['SeDenyServiceLogonRight'] = '*S-1-5-32-546' # Ensure \'Deny log on locally\' to include \'Guests\' # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.20' # tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.24' -default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-546' +default['security_policy']['rights']['SeDenyInteractiveLogonRight'] = '*S-1-5-32-546' # Configure \'Deny log on through Remote Desktop Services\' # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.21' # tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': ['2.2.25', '2.2.26'] -default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-546' +default['security_policy']['rights']['SeDenyRemoteInteractiveLogonRight'] = '*S-1-5-32-546' # Configure \'Enable computer and user accounts to be trusted for delegation\' # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.22' @@ -197,9 +197,7 @@ # Ensure \'Log on as a batch job\' is set to \'Administrators\' (DC only) # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.29' # tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.36' -if ((node['default']['ms_or_dc'] == 'DC') && (node['default']['level_1_or_2'] == 2)) - default['security_policy']['rights']['SeBatchLogonRight'] = '*S-1-5-32-544, *S-1-5-32-551' -end +default['security_policy']['rights']['SeBatchLogonRight'] = '*S-1-5-32-544, *S-1-5-32-551' if node['windows_hardening']['ms_or_dc'] == 'DC' && node['windows_hardening']['level_1_or_2'] == 2 # Configure \'Manage auditing and security log\' # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.30' @@ -249,17 +247,15 @@ # Ensure \'Synchronize directory service data\' is set to \'No One\' (DC only) # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.39' # tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.47' -if node['default']['ms_or_dc'] == 'DC' - default['security_policy']['rights']['SeSyncAgentPrivilege'] = '' -end + +default['security_policy']['rights']['SeSyncAgentPrivilege'] = '' if node['windows_hardening']['ms_or_dc'] == 'DC' # Ensure \'Take ownership of files or other objects\' is set to \'Administrators\' # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.2.40' # tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.2.48' default['security_policy']['rights']['SeTakeOwnershipPrivilege'] = '*S-1-5-32-544' -# - - - -default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-544' +# Ensure \'Network access: Allow anonymous SID/Name translation\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.1' +default['security_policy']['access']['LSAAnonymousNameLookup'] = 0 From dd014cb963db916399e9ae8a9aa20e723db3add0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Tue, 14 May 2019 20:34:32 +0200 Subject: [PATCH 4/4] until CIS 17.2.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- .kitchen.appveyor.yml | 10 + .kitchen.yml | 5 + LICENSE | 175 +++++++++ README.md | 30 +- Rakefile | 1 - metadata.rb | 24 +- recipes/access.rb | 53 +-- recipes/accounts.rb | 28 +- .../advanced_audit_policy_configuration.rb | 77 ++++ recipes/audit.rb | 76 ++-- recipes/default.rb | 16 +- recipes/devices.rb | 21 +- recipes/domain_controller.rb | 33 ++ recipes/domain_member.rb | 85 +++++ recipes/interactive_login.rb | 124 ++++++ recipes/network_access.rb | 170 +++++++++ recipes/network_client.rb | 46 +++ recipes/network_security.rb | 124 ++++++ recipes/network_server.rb | 72 ++++ recipes/security_policy.rb | 6 +- recipes/shutdown.rb | 20 + recipes/system_objects.rb | 33 ++ recipes/user_account_control.rb | 124 ++++++ recipes/user_rights.rb | 1 - recipes/windows_firewall.rb | 356 ++++++++++++++++++ resources/account_status.rb | 2 +- resources/rename_account.rb | 2 +- .../default/inspec/controls/tests.rb | 3 +- test/integration/default/inspec/inspec.yml | 2 +- 29 files changed, 1560 insertions(+), 159 deletions(-) create mode 100644 LICENSE mode change 100755 => 100644 Rakefile create mode 100644 recipes/advanced_audit_policy_configuration.rb create mode 100644 recipes/domain_controller.rb create mode 100644 recipes/domain_member.rb create mode 100644 recipes/interactive_login.rb create mode 100644 recipes/network_access.rb create mode 100644 recipes/network_client.rb create mode 100644 recipes/network_security.rb create mode 100644 recipes/network_server.rb create mode 100644 recipes/shutdown.rb create mode 100644 recipes/system_objects.rb create mode 100644 recipes/user_account_control.rb delete mode 100644 recipes/user_rights.rb create mode 100644 recipes/windows_firewall.rb diff --git a/.kitchen.appveyor.yml b/.kitchen.appveyor.yml index 5f4c6d4..6dce1f7 100644 --- a/.kitchen.appveyor.yml +++ b/.kitchen.appveyor.yml @@ -9,6 +9,7 @@ driver: provisioner: name: chef_zero + require_chef_omnibus: 14.12.9 verifier: name: inspec @@ -21,7 +22,16 @@ suites: run_list: - recipe[windows-hardening::default] attributes: + account_status: + names: + - 'Guest' + rename_account: + admin_account: false security_policy: rights: SeNetworkLogonRight: '*S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551' SeRemoteInteractiveLogonRight: '*S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551' + firewall: + activate: true + rules_on: true + rules: [{'name':'rdp','local_port': 3389,'protocol': 'TCP', 'action': 'allow'},{'name':'winrm','local_port': 5985,'protocol': 'TCP', 'action': 'allow'}] \ No newline at end of file diff --git a/.kitchen.yml b/.kitchen.yml index 3fe35ea..325fc1c 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -7,6 +7,7 @@ verifier: provisioner: name: chef_zero + require_chef_omnibus: 14.12.9 platforms: - name: windows-2012R2 @@ -35,3 +36,7 @@ suites: rights: SeNetworkLogonRight: '*S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551' SeRemoteInteractiveLogonRight: '*S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551' + firewall: + activate: true + rules_on: true + rules: [{'name':'rdp','local_port': 3389,'protocol': 'TCP', 'action': 'allow'},{'name':'winrm','local_port': 5985,'protocol': 'TCP', 'action': 'allow'}] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..67db858 --- /dev/null +++ b/LICENSE @@ -0,0 +1,175 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. diff --git a/README.md b/README.md index b996a17..9fc1b0f 100644 --- a/README.md +++ b/README.md @@ -1,24 +1,24 @@ # windows-hardening (Chef Cookbook) -This cookbook provides recipes for ensuring that a Windows 2012 R2 system is compliant with the [DevSec Windows Baseline](https://github.com/dev-sec/windows-baseline). +This cookbook provides recipes for ensuring that a Windows 2012 R2 and 2016 system is compliant with the [DevSec Windows Baseline](https://github.com/dev-sec/windows-baseline). The [DevSec Windows Baseline](https://github.com/dev-sec/windows-baseline) checks the complete CIS documents and also some additions. ### Platforms - Windows Server 2012 - Windows Server 2012 R2 - Windows Server 2016 -- Windows Server 2016 Nano Server - -### Roadmap - -This cookbook aims to be the go-to-resource to implement hardening for Windows environments. In order to achieve that plan to cover the requirements of - -- CIS Windows 2012R2 -- CIS Windows 2016 -- STIG Windows 2012R2 - -Any contributions to achieve that are welcome! - +- Windows Server 2016 Nano Server + +### Roadmap + +This cookbook aims to be the go-to-resource to implement hardening for Windows environments. In order to achieve that plan to cover the requirements of + +- CIS Windows 2012R2 +- CIS Windows 2016 +- STIG Windows 2012R2 + +Any contributions to achieve that are welcome! + ## Coding guidelines Use Chef resources wherever possible. Some Chef resources we use to manage Windows: @@ -63,15 +63,15 @@ This cookbook is currently in development. It does not cover all requirements to * Alex Pop [alexpop](https://github.com/alexpop) * Yvo Van Doorn [yvovandoorn](https://github.com/yvovandoorn) * Matthew Tunny [MattTunny](https://github.com/matttunny) - +* Patrick Muench [arlimus](https://github.com/atomic111) ## Contributing See [contributor guideline](CONTRIBUTING.md). - ## License and Author +* Author:: Patrick Muench * Author:: Joe Gardiner * Author:: Christoph Hartmann * Author:: Chef Software Ltd diff --git a/Rakefile b/Rakefile old mode 100755 new mode 100644 index 7701e46..a687798 --- a/Rakefile +++ b/Rakefile @@ -1,4 +1,3 @@ -#!/usr/bin/env rake # encoding: utf-8 require 'foodcritic' diff --git a/metadata.rb b/metadata.rb index 6f45b1b..7ab6c5b 100644 --- a/metadata.rb +++ b/metadata.rb @@ -1,11 +1,31 @@ +# frozen_string_literal: true + +# +# Copyright 2019, DevSec Hardening Framework Team +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + name 'windows-hardening' maintainer 'Joe Gardiner' maintainer_email 'joe@chef.io' -license 'Apache 2.0' -description 'Hardening cookbook for Windows 2012 R2' +license 'Apache-2.0' +description 'Hardening cookbook for Windows 2012 R2 and 2016' long_description 'Remediates critical issues identified by the DevSec Windows baseline' version '0.9.1' source_url 'https://github.com/dev-sec/chef-windows-hardening' if respond_to?(:source_url) issues_url 'https://github.com/dev-sec/chef-windows-hardening/issues' if respond_to?(:issues_url) +chef_version '>= 14' supports 'windows' depends 'windows-security-policy' +cookbook 'windows_firewall' diff --git a/recipes/access.rb b/recipes/access.rb index 957b2d0..7433222 100644 --- a/recipes/access.rb +++ b/recipes/access.rb @@ -2,64 +2,13 @@ # Cookbook Name:: windows-hardening # Recipe:: access # +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. # Copyright (c) 2016 Joe Gardiner, All Rights Reserved. return unless node['platform_family'] == 'windows' # Anonymous Access to Windows Shares and Named Pipes is Disallowed # windows-baseline: windows-base-102 -registry_key 'HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters' do - values [{ - name: 'RestrictNullSessAccess', - type: :dword, - data: 1 - }] - action :create_if_missing -end - -# All Shares are Configured to Prevent Anonymous Access -# windows-baseline: windows-base-103 -registry_key 'HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters' do - values [{ - name: 'NullSessionShares', - type: :multi_string, - data: [''] - }] - action :create_if_missing -end - -# Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled -# windows-baseline: windows-base-103 -registry_key 'HKLM\\System\\CurrentControlSet\\Control\\Lsa' do - values [{ - name: 'LmCompatibilityLevel', - type: :dword, - data: 4 - }] - action :create -end - -# Enable Strong Encryption for Windows Network Sessions on Clients -# windows-baseline: windows-base-201 -registry_key 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0' do - values [{ - name: 'NtlmMinClientSec', - type: :dword, - data: 537_395_200 - }] - action :create -end - -# Enable Strong Encryption for Windows Network Sessions on Servers -# windows-baseline: windows-base-202 -registry_key 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0' do - values [{ - name: 'NtlmMinServerSec', - type: :dword, - data: 537_395_200 - }] - action :create -end if node['windows_hardening']['smbv1']['disable'] == true registry_key 'HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters' do diff --git a/recipes/accounts.rb b/recipes/accounts.rb index 73f85d4..21efd59 100644 --- a/recipes/accounts.rb +++ b/recipes/accounts.rb @@ -2,7 +2,7 @@ # Cookbook Name:: windows-hardening # Recipe:: account_status # -# Copyright (c) 2019 The Authors, All Rights Reserved. +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. return unless node['platform_family'] == 'windows' @@ -67,29 +67,3 @@ action :set end end - -# Ensure \'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\' is set to \'Enabled\' -# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.2.1' -# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.2.1' -registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do - values [{ - name: 'SCENoApplyLegacyAuditPolicy', - type: :dword, - data: 1 - }] - action :create - recursive true -end - -# Ensure \'Audit: Shut down system immediately if unable to log security audits\' is set to \'Disabled\' -# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.2.2' -# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.2.2' -registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do - values [{ - name: 'CrashOnAuditFail', - type: :dword, - data: 0 - }] - action :create - recursive true -end diff --git a/recipes/advanced_audit_policy_configuration.rb b/recipes/advanced_audit_policy_configuration.rb new file mode 100644 index 0000000..2bcfec2 --- /dev/null +++ b/recipes/advanced_audit_policy_configuration.rb @@ -0,0 +1,77 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: advanced_audit_policy_configuration +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +# 'Ensure \'Audit Credential Validation\' is set to \'Success and Failure\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.1.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.1.1' +execute 'Audit Credential Validation' do + command 'AuditPol /Set /SubCategory:"Credential Validation" /Failure:Enable /Success:Enable' + action :run + not_if { ::File.exist?('C:\CredentialValidation.lock') } + notifies :create, 'file[C:\CredentialValidation.lock]', :immediately +end + +file 'C:\CredentialValidation.lock' do + action :nothing +end + +# Ensure \'Audit Application Group Management\' is set to \'Success and Failure\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.1' +execute 'Audit Application Group Management' do + command 'AuditPol /Set /SubCategory:"Application Group Management" /Failure:Enable /Success:Enable' + action :run + not_if { ::File.exist?('C:\appGroupMngmtAudit.lock') } + notifies :create, 'file[C:\appGroupMngmtAudit.lock]', :immediately +end + +file 'C:\appGroupMngmtAudit.lock' do + action :nothing +end + +# Ensure \'Audit Computer Account Management\' is set to \'Success and Failure\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.2' +execute 'Audit Computer Account Management' do + command 'AuditPol /Set /SubCategory:"Computer Account Management" /Failure:Enable /Success:Enable' + action :run + not_if { ::File.exist?('C:\appAccountMngmtAudit.lock') } + notifies :create, 'file[C:\appAccountMngmtAudit.lock]', :immediately +end + +file 'C:\appAccountMngmtAudit.lock' do + action :nothing +end + +# Ensure \'Audit Distribution Group Management\' is set to \'Success and Failure\' (DC only)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.3' +if node['windows_hardening']['ms_or_dc'] == 'DC' + execute 'Audit Distributed Group Management' do + command 'AuditPol /Set /SubCategory:"Distribution Group Management" /Failure:Enable /Success:Enable' + action :run + not_if { ::File.exist?('C:\distGroupMngmtAudit.lock') } + notifies :create, 'file[C:\distGroupMngmtAudit.lock]', :immediately + end + + file 'C:\distGroupMngmtAudit.lock' do + action :nothing + end +end + +# Ensure \'Audit Other Account Management Events\' is set to \'Success and Failure\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.4' +execute 'Other Account Management Events' do + command 'AuditPol /Set /SubCategory:"Other Account Management Events" /Failure:Enable /Success:Enable' + action :run + not_if { ::File.exist?('C:\OtherAccountManagementEvents.lock') } + notifies :create, 'file[C:\OtherAccountManagementEvents.lock]', :immediately +end + +file 'C:\OtherAccountManagementEvents.lock' do + action :nothing +end diff --git a/recipes/audit.rb b/recipes/audit.rb index 17d459b..8db77b2 100644 --- a/recipes/audit.rb +++ b/recipes/audit.rb @@ -2,10 +2,37 @@ # Cookbook Name:: windows-hardening # Recipe:: audit-logging # +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. # Copyright (c) 2016 Joe Gardiner, All Rights Reserved. return unless node['platform_family'] == 'windows' +# Ensure \'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.2.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.2.1' +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do + values [{ + name: 'SCENoApplyLegacyAuditPolicy', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Audit: Shut down system immediately if unable to log security audits\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.2.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.2.2' +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do + values [{ + name: 'CrashOnAuditFail', + type: :dword, + data: 0 + }] + action :create + recursive true +end + # Configure System Event Log (Application) # windows-baseline: windows-audit-100 registry_key 'HKLM\\Software\\Policies\\Microsoft\\Windows\\EventLog\\Application' do @@ -56,52 +83,3 @@ # Account Logon Audit Log # windows-baseline: windows-audit-203 -execute 'Account Logon Audit Log' do - command 'AuditPol /Set /Category:"Account Logon" /Failure:Enable /Success:Enable' - action :run - not_if { ::File.exist?('C:\accountLogonAudit.lock') } - notifies :create, 'file[C:\accountLogonAudit.lock]', :immediately -end - -file 'C:\accountLogonAudit.lock' do - action :nothing -end - -# Audit Application Group Management -# windows-baseline: windows-audit-204 -execute 'Audit Application Group Management' do - command 'AuditPol /Set /SubCategory:"Application Group Management" /Failure:Enable /Success:Enable' - action :run - not_if { ::File.exist?('C:\appGroupMngmtAudit.lock') } - notifies :create, 'file[C:\appGroupMngmtAudit.lock]', :immediately -end - -file 'C:\appGroupMngmtAudit.lock' do - action :nothing -end - -# Audit Computer Account Management -# windows-baseline: windows-audit-205 -execute 'Audit Computer Account Management' do - command 'AuditPol /Set /SubCategory:"Computer Account Management" /Failure:Enable /Success:Enable' - action :run - not_if { ::File.exist?('C:\appAccountMngmtAudit.lock') } - notifies :create, 'file[C:\appAccountMngmtAudit.lock]', :immediately -end - -file 'C:\appAccountMngmtAudit.lock' do - action :nothing -end - -# Audit Distributed Group Management -# windows-baseline: windows-audit-206 -execute 'Audit Distributed Group Management' do - command 'AuditPol /Set /SubCategory:"Distribution Group Management" /Failure:Enable /Success:Enable' - action :run - not_if { ::File.exist?('C:\distGroupMngmtAudit.lock') } - notifies :create, 'file[C:\distGroupMngmtAudit.lock]', :immediately -end - -file 'C:\distGroupMngmtAudit.lock' do - action :nothing -end diff --git a/recipes/default.rb b/recipes/default.rb index 467a90a..2868888 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -2,16 +2,28 @@ # Cookbook Name:: windows-hardening # Recipe:: default # +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. # Copyright (c) 2016 Joe Gardiner, All Rights Reserved. return unless node['platform_family'] == 'windows' -#include_recipe 'windows-hardening::password_policy' +# include_recipe 'windows-hardening::password_policy' include_recipe 'windows-hardening::accounts' include_recipe 'windows-hardening::security_policy' include_recipe 'windows-hardening::devices' +include_recipe 'windows-hardening::domain_controller' +include_recipe 'windows-hardening::domain_member' +include_recipe 'windows-hardening::interactive_login' +include_recipe 'windows-hardening::network_client' +include_recipe 'windows-hardening::network_server' +include_recipe 'windows-hardening::network_access' +include_recipe 'windows-hardening::network_security' +include_recipe 'windows-hardening::shutdown' +include_recipe 'windows-hardening::system_objects' +include_recipe 'windows-hardening::user_account_control' +include_recipe 'windows-hardening::windows_firewall' +include_recipe 'windows-hardening::advanced_audit_policy_configuration' -include_recipe 'windows-hardening::user_rights' include_recipe 'windows-hardening::audit' include_recipe 'windows-hardening::ie' include_recipe 'windows-hardening::rdp' diff --git a/recipes/devices.rb b/recipes/devices.rb index 3bc3bc7..d5d6ff2 100644 --- a/recipes/devices.rb +++ b/recipes/devices.rb @@ -1,3 +1,11 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: devices +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + # Ensure \'Devices: Allowed to format and eject removable media\' is set to \'Administrators\' # tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.4.1' # tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.4.1' @@ -11,4 +19,15 @@ recursive true end -# +# Ensure \'Devices: Prevent users from installing printer drivers\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.4.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.4.2' +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' do + values [{ + name: 'AddPrinterDrivers', + type: :dword, + data: 1 + }] + action :create + recursive true +end diff --git a/recipes/domain_controller.rb b/recipes/domain_controller.rb new file mode 100644 index 0000000..d5dc380 --- /dev/null +++ b/recipes/domain_controller.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: domain_controller +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' && node['windows_hardening']['ms_or_dc'] == 'DC' + +# Ensure \'Domain controller: LDAP server signing requirements\' is set to \'Require signing\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.5.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.5.2' +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters' do + values [{ + name: 'LDAPServerIntegrity', + type: :dword, + data: 2 + }] + action :create + recursive true +end + +# Ensure \'Domain controller: Refuse machine account password changes\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.5.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.5.3' +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' do + values [{ + name: 'RefusePasswordChange', + type: :dword, + data: 0 + }] + action :create + recursive true +end diff --git a/recipes/domain_member.rb b/recipes/domain_member.rb new file mode 100644 index 0000000..8e6d112 --- /dev/null +++ b/recipes/domain_member.rb @@ -0,0 +1,85 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: domain_member +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' && node['windows_hardening']['ms_or_dc'] == 'MS' + +# Ensure \'Domain member: Digitally encrypt or sign secure channel data (always)\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.6.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.6.1' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters' do # ignore: ~FC005 + values [{ + name: 'RequireSignOrSeal', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Domain member: Digitally encrypt secure channel data (when possible)\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.6.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.6.2' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters' do + values [{ + name: 'SealSecureChannel', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Domain member: Digitally sign secure channel data (when possible)\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.6.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.6.3' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters' do + values [{ + name: 'SignSecureChannel', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Domain member: Disable machine account password changes\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.6.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.6.4' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters' do + values [{ + name: 'DisablePasswordChange', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Domain member: Maximum machine account password age\' is set to \'30 or fewer days, but not 0\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.6.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.6.5' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters' do + values [{ + name: 'MaximumPasswordAge', + type: :dword, + data: 30 + }] + action :create + recursive true +end + +# Ensure \'Domain member: Require strong (Windows 2000 or later) session key\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.6.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.6.6' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters' do + values [{ + name: 'RequireStrongKey', + type: :dword, + data: 1 + }] + action :create + recursive true +end diff --git a/recipes/interactive_login.rb b/recipes/interactive_login.rb new file mode 100644 index 0000000..819db3d --- /dev/null +++ b/recipes/interactive_login.rb @@ -0,0 +1,124 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: interactive_login +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + +# Ensure \'Interactive logon: Do not display last user name\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.7.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.7.1' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'DontDisplayLastUserName', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Interactive logon: Do not require CTRL+ALT+DEL\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.7.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.7.2' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'DisableCAD', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Interactive logon: Machine inactivity limit\' is set to \'900 or fewer second(s), but not 0\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.7.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.7.3' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'InactivityTimeoutSecs', + type: :dword, + data: 900 + }] + action :create + recursive true +end + +# Configure \'Interactive logon: Message text for users attempting to log on\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.7.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.7.4' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'LegalNoticeText', + type: :string, + data: node['interactive_login']['LegalNoticeText'] + }] + action :create + recursive true +end + +# Configure \'Interactive logon: Message title for users attempting to log on\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.7.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.7.5' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'LegalNoticeCaption', + type: :string, + data: node['interactive_login']['LegalNoticeCaption'] + }] + action :create + recursive true +end + +# Ensure \'Interactive logon: Number of previous logons to cache (in case domain controller is not available)\' is set to \'4 or fewer logon(s)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.7.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.7.6' +registry_key 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' do + values [{ + name: 'CachedLogonsCount', + type: :dword, + data: 4 + }] + action :create + recursive true +end + +# Ensure \'Interactive logon: Prompt user to change password before expiration\' is set to \'between 5 and 14 days\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.7.7' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.7.7' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' do + values [{ + name: 'PasswordExpiryWarning', + type: :dword, + data: 14 + }] + action :create + recursive true +end + +# Ensure \'Interactive logon: Require Domain Controller Authentication to unlock workstation\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.7.8' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.7.8' +registry_key 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' do + values [{ + name: 'ForceUnlockLogon', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Interactive logon: Smart card removal behavior\' is set to \'Lock Workstation\' or higher +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.7.9' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.7.9' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' do + values [{ + name: 'ScRemoveOption', + type: :string, + data: 1 + }] + action :create + recursive true +end diff --git a/recipes/network_access.rb b/recipes/network_access.rb new file mode 100644 index 0000000..f3488e3 --- /dev/null +++ b/recipes/network_access.rb @@ -0,0 +1,170 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: network_access +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + +# Ensure \'Network access: Do not allow anonymous enumeration of SAM accounts\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.2' +if node['windows_hardening']['ms_or_dc'] == 'MS' + registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa' do + values [{ + name: 'RestrictAnonymousSAM', + type: :dword, + data: 1 + }] + action :create + recursive true + end +end + +# Ensure \'Network access: Do not allow anonymous enumeration of SAM accounts and shares\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.3' +if node['windows_hardening']['ms_or_dc'] == 'MS' + registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa' do + values [{ + name: 'RestrictAnonymous', + type: :dword, + data: 1 + }] + action :create + recursive true + end +end + +# Ensure \'Network access: Do not allow storage of passwords and credentials for network authentication\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.4' +if node['windows_hardening']['level_1_or_2'] == 2 + registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa' do + values [{ + name: 'DisableDomainCreds', + type: :dword, + data: 1 + }] + action :create + recursive true + end +end + +# Ensure \'Network access: Let Everyone permissions apply to anonymous users\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.5' +registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa' do + values [{ + name: 'EveryoneIncludesAnonymous', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Configure \'Network access: Named Pipes that can be accessed anonymously\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': ['2.3.10.6', '2.3.10.7'] +registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters' do + values [{ + name: 'NullSessionPipes', + type: :multi_string, + data: [] + }] + action :create + recursive true +end + +# Configure \'Network access: Remotely accessible registry paths\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.7' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.8' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedExactPaths' do + values [{ + name: 'Machine', + type: :multi_string, + data: ['System\\CurrentControlSet\\Control\\ProductOptions', 'System\\CurrentControlSet\\Control\\Server Applications', 'Software\\Microsoft\\Windows NT\\CurrentVersion'] + }] + action :create + recursive true +end + +# Configure \'Network access: Remotely accessible registry paths and sub-paths\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.8' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.9' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedPaths' do + values [{ + name: 'Machine', + type: :multi_string, + data: ['System\\CurrentControlSet\\Control\\Print\\Printers', 'System\\CurrentControlSet\\Services\\Eventlog', 'Software\\Microsoft\\OLAP Server', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Print', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows', 'System\\CurrentControlSet\\Control\\ContentIndex', 'System\\CurrentControlSet\\Control\\Terminal Server', 'System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig', 'System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib', 'System\\CurrentControlSet\\Services\\SysmonLog'] + }] + action :create + recursive true +end + +# Ensure \'Network access: Restrict anonymous access to Named Pipes and Shares\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.9' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.10' +registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters' do + values [{ + name: 'RestrictNullSessAccess', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Network access: Restrict clients allowed to make remote calls to SAM\' is set to \'Administrators: Remote Access: Allow\' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.11' +if node['platform_version'].to_f == 10.0 + registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters' do + values [{ + name: 'restrictremotesam', + type: :string, + data: 'O:BAG:BAD:(A;;RC;;;BA)' + }] + action :create + recursive true + end +end + +# Ensure \'Network access: Shares that can be accessed anonymously\' is set to \'None\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.10' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.12' +registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters' do + values [{ + name: 'NullSessionShares', + type: :multi_string, + data: [] + }] + action :create + recursive true +end + +# Ensure \'Network access: Sharing and security model for local accounts\' is set to \'Classic - local users authenticate as themselves\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.10.11' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.10.13' +registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa' do + values [{ + name: 'ForceGuest', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Network security: Allow Local System to use computer identity for NTLM\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.1' +registry_key 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa' do + values [{ + name: 'UseMachineId', + type: :dword, + data: 1 + }] + action :create + recursive true +end diff --git a/recipes/network_client.rb b/recipes/network_client.rb new file mode 100644 index 0000000..7bddc23 --- /dev/null +++ b/recipes/network_client.rb @@ -0,0 +1,46 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: network_client +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + +# Ensure \'Microsoft network client: Digitally sign communications (always)\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.8.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.8.1' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters' do # ignore: ~FC005 + values [{ + name: 'RequireSecuritySignature', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Microsoft network client: Digitally sign communications (if server agrees)\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.8.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.8.2' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters' do + values [{ + name: 'EnableSecuritySignature', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Microsoft network client: Send unencrypted password to third-party SMB servers\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.8.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.8.3' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters' do + values [{ + name: 'EnablePlainTextPassword', + type: :dword, + data: 0 + }] + action :create + recursive true +end diff --git a/recipes/network_security.rb b/recipes/network_security.rb new file mode 100644 index 0000000..ca5b827 --- /dev/null +++ b/recipes/network_security.rb @@ -0,0 +1,124 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: network_security +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + +# Ensure \'Network security: Allow LocalSystem NULL session fallback\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.2' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0' do + values [{ + name: 'AllowNullSessionFallback', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Network Security: Allow PKU2U authentication requests to this computer to use online identities\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.3' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\pku2u' do + values [{ + name: 'AllowOnlineID', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Network security: Configure encryption types allowed for Kerberos\' is set to \'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.4' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters' do + values [{ + name: 'SupportedEncryptionTypes', + type: :dword, + data: 2_147_483_644 + }] + action :create + recursive true +end + +# Ensure \'Network security: Do not store LAN Manager hash value on next password change\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.5' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa' do + values [{ + name: 'NoLMHash', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Network security: Force logoff when logon hours expire\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.6' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters' do + values [{ + name: 'EnableForcedLogOff', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Network security: LAN Manager authentication level\' is set to \'Send NTLMv2 response only. Refuse LM\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.7' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.7' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa' do + values [{ + name: 'LmCompatibilityLevel', + type: :dword, + data: 5 + }] + action :create + recursive true +end + +# Ensure \'Network security: LDAP client signing requirements\' is set to \'Negotiate signing\' or higher\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.8' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.8' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP' do + values [{ + name: 'LDAPClientIntegrity', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients\' is set to \'Require NTLMv2 session security, Require 128-bit encryption\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.9' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.9' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0' do + values [{ + name: 'NTLMMinClientSec', + type: :dword, + data: 536_870_912 + }] + action :create + recursive true +end + +# Ensure \'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers\' is set to \'Require NTLMv2 session security, Require 128-bit encryption\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.11.10' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.11.10' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0' do + values [{ + name: 'NTLMMinServerSec', + type: :dword, + data: 536_870_912 + }] + action :create + recursive true +end diff --git a/recipes/network_server.rb b/recipes/network_server.rb new file mode 100644 index 0000000..6850691 --- /dev/null +++ b/recipes/network_server.rb @@ -0,0 +1,72 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: network_server +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + +# Ensure \'Microsoft network server: Amount of idle time required before suspending session\' is set to \'15 or fewer minute(s), but not 0\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.9.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.9.1' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters' do # ignore: ~FC005 + values [{ + name: 'AutoDisconnect', + type: :dword, + data: 15 + }] + action :create + recursive true +end + +# Ensure \'Microsoft network server: Digitally sign communications (always)\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.9.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.9.2' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters' do + values [{ + name: 'RequireSecuritySignature', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Microsoft network server: Digitally sign communications (if client agrees)\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.9.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.9.3' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters' do + values [{ + name: 'EnableSecuritySignature', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Microsoft network server: Disconnect clients when logon hours expire\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.9.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.9.4' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters' do + values [{ + name: 'EnableForcedLogoff', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Microsoft network server: Server SPN target name validation level\' is set to \'Accept if provided by client\' or higher\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.9.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.9.5' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters' do + values [{ + name: 'SMBServerNameHardeningLevel', + type: :dword, + data: 2 + }] + action :create + recursive true +end diff --git a/recipes/security_policy.rb b/recipes/security_policy.rb index 1cd8b67..68b2aba 100644 --- a/recipes/security_policy.rb +++ b/recipes/security_policy.rb @@ -6,11 +6,7 @@ return unless node['platform_family'] == 'windows' -# cis: account-lockout-duration 1.2.1, -# cis: reset-account-lockout 1.2.3 -# windows-baseline: windows-account-104 -# windows-baseline: windows-account-100, -# cis: add-workstations 2.2.4 +# see sec_policy attributes security_policy 'Local Policy' do policy_template "#{node['security_policy']['template']['location']}\\mySecurityPolicy.inf" database "#{node['security_policy']['database']['location']}\\#{node['security_policy']['database']['name']}" diff --git a/recipes/shutdown.rb b/recipes/shutdown.rb new file mode 100644 index 0000000..34bd05c --- /dev/null +++ b/recipes/shutdown.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: shutdown +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + +# Ensure \'Shutdown: Allow system to be shut down without having to log on\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.13.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.13.1' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'ShutdownWithoutLogon', + type: :dword, + data: 0 + }] + action :create + recursive true +end diff --git a/recipes/system_objects.rb b/recipes/system_objects.rb new file mode 100644 index 0000000..24cee05 --- /dev/null +++ b/recipes/system_objects.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: system_objects +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + +# Ensure \'System objects: Require case insensitivity for non-Windows subsystems\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.15.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.15.1' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Kernel' do + values [{ + name: 'ObCaseInsensitive', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.15.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.15.2' +registry_key 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager' do + values [{ + name: 'ProtectionMode', + type: :dword, + data: 1 + }] + action :create + recursive true +end diff --git a/recipes/user_account_control.rb b/recipes/user_account_control.rb new file mode 100644 index 0000000..339601f --- /dev/null +++ b/recipes/user_account_control.rb @@ -0,0 +1,124 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: user_account_control +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' + +# Ensure \'User Account Control: Admin Approval Mode for the Built-in Administrator account\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.17.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.17.1' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do # ignore: ~FC005 + values [{ + name: 'FilterAdministratorToken', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop\' is set to \'Disabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.17.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.17.2' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'EnableUIADesktopToggle', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode\' is set to \'Prompt for consent on the secure desktop\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.17.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.17.3' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'ConsentPromptBehaviorAdmin', + type: :dword, + data: 2 + }] + action :create + recursive true +end + +# Ensure \'User Account Control: Behavior of the elevation prompt for standard users\' is set to \'Automatically deny elevation requests\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.17.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.17.4' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'ConsentPromptBehaviorUser', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'User Account Control: Detect application installations and prompt for elevation\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.17.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.17.5' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'EnableInstallerDetection', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'User Account Control: Only elevate UIAccess applications that are installed in secure locations\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.17.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.17.6' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'EnableSecureUIAPaths', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'User Account Control: Run all administrators in Admin Approval Mode\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.17.7' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.17.7' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'EnableLUA', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'User Account Control: Switch to the secure desktop when prompting for elevation\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.17.8' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.17.8' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'PromptOnSecureDesktop', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'User Account Control: Virtualize file and registry write failures to per-user locations\' is set to \'Enabled\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.17.9' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.17.9' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' do + values [{ + name: 'EnableVirtualization', + type: :dword, + data: 1 + }] + action :create + recursive true +end diff --git a/recipes/user_rights.rb b/recipes/user_rights.rb deleted file mode 100644 index 24c0dff..0000000 --- a/recipes/user_rights.rb +++ /dev/null @@ -1 +0,0 @@ -# Encoding: UTF-8 diff --git a/recipes/windows_firewall.rb b/recipes/windows_firewall.rb new file mode 100644 index 0000000..369bc44 --- /dev/null +++ b/recipes/windows_firewall.rb @@ -0,0 +1,356 @@ +# +# Cookbook Name:: windows-hardening +# Recipe:: windows_firewall +# +# Copyright (c) 2019 Patrick Muench, All Rights Reserved. + +return unless node['platform_family'] == 'windows' && node['firewall']['activate'] == true + +# Ensure \'Windows Firewall: Domain: Firewall state\' is set to \'On (recommended)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.1' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile' do + values [{ + name: 'EnableFirewall', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Domain: Inbound connections\' is set to \'Block (default)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.2' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile' do + values [{ + name: 'DefaultInboundAction', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Domain: Outbound connections\' is set to \'Allow (default)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.3' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile' do + values [{ + name: 'DefaultOutboundAction', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Domain: Settings: Display a notification\' is set to \'No\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.4' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile' do + values [{ + name: 'DisableNotifications', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Domain: Logging: Name\' is set to \'%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.5' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging' do + values [{ + name: 'LogFilePath', + type: :string, + data: '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Domain: Logging: Size limit (KB)\' is set to \'16,384 KB or greater\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.6' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging' do + values [{ + name: 'LogFileSize', + type: :dword, + data: 16_384 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Domain: Logging: Log dropped packets\' is set to \'Yes\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.7' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.7' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging' do + values [{ + name: 'LogDroppedPackets', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Domain: Logging: Log successful connections\' is set to \'Yes\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.8' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.8' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging' do + values [{ + name: 'LogSuccessfulConnections', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Private: Firewall state\' is set to \'On (recommended)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.1' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile' do + values [{ + name: 'EnableFirewall', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Private: Inbound connections\' is set to \'Block (default)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.2' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile' do + values [{ + name: 'DefaultInboundAction', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Private: Outbound connections\' is set to \'Allow (default)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.3' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile' do + values [{ + name: 'DefaultOutboundAction', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Private: Settings: Display a notification\' is set to \'No\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.4' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile' do + values [{ + name: 'DisableNotifications', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Private: Logging: Name\' is set to \'%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.5' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging' do + values [{ + name: 'LogFilePath', + type: :string, + data: '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Private: Logging: Size limit (KB)\' is set to \'16,384 KB or greater\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.6' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging' do + values [{ + name: 'LogFileSize', + type: :dword, + data: 16_384 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Private: Logging: Log dropped packets\' is set to \'Yes\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.7' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.7' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging' do + values [{ + name: 'LogDroppedPackets', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Private: Logging: Log successful connections\' is set to \'Yes\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.8' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.8' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging' do + values [{ + name: 'LogSuccessfulConnections', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Firewall state\' is set to \'On (recommended)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.1' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.1' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile' do + values [{ + name: 'EnableFirewall', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Inbound connections\' is set to \'Block (default)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.2' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.2' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile' do + values [{ + name: 'DefaultInboundAction', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Outbound connections\' is set to \'Allow (default)\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.3' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.3' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile' do + values [{ + name: 'DefaultOutboundAction', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Settings: Display a notification\' is set to \'Yes\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.4' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.4' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile' do + values [{ + name: 'DisableNotifications', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Settings: Apply local firewall rules\' is set to \'No\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.5' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.5' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile' do + values [{ + name: 'AllowLocalPolicyMerge', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Settings: Apply local connection security rules\' is set to \'No\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.6' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.6' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile' do + values [{ + name: 'AllowLocalIPsecPolicyMerge', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Logging: Name\' is set to \'%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.7' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.7' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging' do + values [{ + name: 'LogFilePath', + type: :string, + data: '%SYSTEMROOT%\\system32\\logfiles\\firewall\\publicfw.log' + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Logging: Size limit (KB)\' is set to \'16,384 KB or greater\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.8' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.8' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging' do + values [{ + name: 'LogFileSize', + type: :dword, + data: 16_384 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Logging: Log dropped packets\' is set to \'Yes\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.9' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.9' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging' do + values [{ + name: 'LogDroppedPackets', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Ensure \'Windows Firewall: Public: Logging: Log successful connections\' is set to \'Yes\' +# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.10' +# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.10' +registry_key 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging' do + values [{ + name: 'LogSuccessfulConnections', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# setup some basic firewall rules, it is just required to test this cookbook +if node['firewall']['rules_on'] == true + node['firewall']['rules'].each do |rule| + windows_firewall_rule rule['name'] do + local_port rule['local_port'] + protocol rule['protocol'] + firewall_action rule['action'] + end + end +end diff --git a/resources/account_status.rb b/resources/account_status.rb index 8e86fce..676677e 100644 --- a/resources/account_status.rb +++ b/resources/account_status.rb @@ -15,4 +15,4 @@ file "C:\\#{new_resource.account_name}_active_#{node['account_status']['active_yes_no']}.lock" do action :create end -end \ No newline at end of file +end diff --git a/resources/rename_account.rb b/resources/rename_account.rb index cdab02c..50f59d0 100644 --- a/resources/rename_account.rb +++ b/resources/rename_account.rb @@ -15,4 +15,4 @@ file "C:\\rename_#{new_resource.original_name}.lock" do action :create end -end \ No newline at end of file +end diff --git a/test/integration/default/inspec/controls/tests.rb b/test/integration/default/inspec/controls/tests.rb index 887bc8d..aae02bb 100644 --- a/test/integration/default/inspec/controls/tests.rb +++ b/test/integration/default/inspec/controls/tests.rb @@ -4,5 +4,6 @@ attribute('se_network_logon_right', default: ['S-1-1-0', 'S-1-5-32-544', 'S-1-5-32-545', 'S-1-5-32-551']) attribute('se_interactive_logon_right', default: ['S-1-5-32-544', 'S-1-5-9']) attribute('se_remote_interactive_logon_right', default: ['S-1-1-0', 'S-1-5-32-544', 'S-1-5-32-545', 'S-1-5-32-551']) - + skip_control 'windows-050' + skip_control 'windows-054' end diff --git a/test/integration/default/inspec/inspec.yml b/test/integration/default/inspec/inspec.yml index 73dbe5e..0a5aba8 100644 --- a/test/integration/default/inspec/inspec.yml +++ b/test/integration/default/inspec/inspec.yml @@ -1,4 +1,4 @@ name: windows-hardening-integration-tests depends: - name: windows-baseline - path: ../windows-baseline \ No newline at end of file + url: https://github.com/dev-sec/windows-baseline \ No newline at end of file