Update Section 1 Logic, Section 19 Features Added, Handler Fixes, Prelim Fixes

defaults/main.yml

@@ -42,8 +42,14 @@ min_ansible_version: "2.10.1"
 # win19cis_rule_18_9_102_2_2
 # win19cis_rule_18_9_102_2_3
 # win19cis_rule_18_9_103_1
+# win19cis_rule_18_10_89_2_2 # Breaks WinRM Connections
 win_skip_for_test: false
 
+# Changes will be made that will require a system reboot.
+# The following option will allow whether or not to skip the reboot.
+# Default: true
+skip_reboot: true
+
 # These variables correspond with the CIS rule IDs or paragraph numbers defined in
 # the CIS benchmark documents.
 # PLEASE NOTE: These work in coordination with the section # group variables and tags.
@@ -329,7 +335,7 @@ win19cis_rule_18_9_5_4: true
 win19cis_rule_18_9_5_5: true
 win19cis_rule_18_9_5_6: true
 win19cis_rule_18_9_5_7: true
-win19cis_rule_18_8_7_2: true
+win19cis_rule_18_9_7_2: true
 win19cis_rule_18_9_13_1: true
 win19cis_rule_18_9_19_2: true
 win19cis_rule_18_9_19_3: true
@@ -462,25 +468,23 @@ win19cis_rule_18_10_81_1: true
 win19cis_rule_18_10_81_2: true
 win19cis_rule_18_10_81_3: true
 win19cis_rule_18_10_82_1: true
-win19cis_rule_18_10_82_2: true
 win19cis_rule_18_10_87_1: true
 win19cis_rule_18_10_87_2: true
 # WINRM CONTROLS #
 # Setting The Following Controls To True Will Break the Ansible Connection
 # Setting win_skip_for_test: true -- will skip the controls here even if they are set to true.
 # win19cis_rule_18_10_89_1_1
 # win19cis_rule_18_10_89_1_2
+# win19cis_rule_18_10_89_1_3
 # win19cis_rule_18_10_89_2_1
 # win19cis_rule_18_10_89_2_2
 # win19cis_rule_18_10_89_2_3
 win19cis_rule_18_10_89_1_1: true
 win19cis_rule_18_10_89_1_2: true
+win19cis_rule_18_10_89_1_3: true
 win19cis_rule_18_10_89_2_1: true
-win19cis_rule_18_10_89_2_2: true
+win19cis_rule_18_10_89_2_2: true # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart. We have it set to skip for testing.
 win19cis_rule_18_10_89_2_3: true
-# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following
-# machine restart. The CIS standard calls for 0 but doing so will break all remote connections to the system.
-win19cis_rule_18_10_89_1_3: true
 win19cis_rule_18_10_89_2_4: true
 win19cis_rule_18_10_90_1: true
 # WINRM CONTROLS END #
@@ -642,12 +646,59 @@ win19cis_cached_logons_count: 1
 # The recommended state for this setting is: between 5 and 14 days.
 win19cis_password_expiry_warning_days: 14
 
+# 2.3.7.9
+# win19cis_sc_remove_option is the setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
+# Note: Possible Valid Settings
+# 1 - Lock Workstation
+# 2 - Force Loggoff
+# 3 - Disconnect if a Remote Desktop Services session
+# Default: 1
+win19cis_sc_remove_option: 1
+
 # 2.3.9.1
 # win19cis_smb_auto_disconnect_time is the policy setting that allows you to specify the amount of continuous idle time that must pass in an
 # SMB session before the session is suspended because of inactivity.
 # The recommended state for this setting is: 15 or fewer minute(s).
 win19cis_smb_auto_disconnect_time: 15
 
+# 2.3.9.5
+# win19cis_smb_server_name_hardening_level is the policy setting controls the level of validation a computer with shared
+# folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when
+# it establishes a session using the server message block (SMB) protocol.
+# Note: Possible Valid Settings
+# 1 - Accept if provided by client
+# 2 - Required from client
+# Default: 1
+win19cis_smb_server_name_hardening_level: 1
+
+# 2.3.11.4
+# win19cis_legacy_rc4_hmac_md5_support is the setting to configure the Windows 11 machine to support older kerberos.
+# Note: Some legacy applications and OSes may still require RC4_HMAC_MD5 - we recommend you test in your environment
+# and verify whether you can safely remove it.
+# CIS prefers keeping this setting as False to satisfy the requirements.
+# Default: false
+win19cis_legacy_rc4_hmac_md5_support: false
+
+# 2.3.11.8
+# win19cis_ldap_client_integrity is the policy setting determines the level of data signing that is requested on
+# behalf of clients that issue LDAP BIND requests. Configuring this setting to Require signing also conforms to the benchmark.
+# The recommended state for this setting is: Negotiate signing.
+# Note: Possible Valid Settings
+# 1 - Negotiate signing
+# 2 - Require signing
+# Default: 1
+win19cis_ldap_client_integrity: 1
+
+# 2.3.17.2
+# win19cis_consent_prompt_behavior_admin is the policy setting controls the behavior of the elevation prompt for administrators.
+# Configuring this setting to Prompt for credentials on the secure desktop also conforms to the benchmark.
+# The recommended state for this setting is: Prompt for consent on the secure desktop.
+# Note: Possible Valid Settings
+# 1 - Prompt for credentials on the secure desktop
+# 2 - Prompt for consent on the secure desktop
+# Default: 2
+win19cis_consent_prompt_behavior_admin: 2
+
 # Section 9 Variables
 
 # 9.1.5
@@ -682,7 +733,6 @@ win19cis_public_firewall_log_size: 16384
 
 # Section 18 Variables
 
-
 # 18.3.5
 # win19cis_laps_password_length is the LAPS tool password length.
 # The recommended state for this setting is: Enabled: 15 or more.

handlers/main.yml

@@ -1,5 +1,7 @@
 ---
 
-- name: reboot_windows
-  ansible.windows.win_reboot:
-      reboot_timeout: 3600
+- name: change_requires_reboot
+  ansible.builtin.set_fact:
+      reboot_host: true
+  tags:
+      - always

tasks/main.yml

@@ -87,6 +87,12 @@
   tags:
       - section19
 
+- name: Run Post Tasks
+  ansible.builtin.import_tasks:
+      file: post.yml
+  tags:
+      - always
+
 - name: If Warnings found Output count and control IDs affected
   ansible.builtin.debug:
       msg:

tasks/post.yml

@@ -0,0 +1,36 @@
+---
+
+- name: "POST | Flush Handlers"
+  ansible.builtin.meta: flush_handlers
+  tags:
+      - always
+
+- name: "POST | Reboot System Options"
+  block:
+      - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False"
+        ansible.windows.win_reboot:
+            reboot_timeout: 3600
+        when:
+            - reboot_host
+            - not skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set"
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually."
+                - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results."
+        changed_when: true
+        when:
+            - reboot_host
+            - skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        when:
+            - reboot_host
+            - skip_reboot
+  vars:
+      warn_control_id: Reboot_Required
+  tags:
+      - always

tasks/prelim.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Set System Facts Based On Gather Facts Module
+- name: PRELIM | Set System Facts Based On Gather Facts Module
   block:
       - name: Set fact is system is standalone
         ansible.builtin.set_fact:
@@ -26,7 +26,7 @@
 # Current list is elastic and will be updated as we test more cloud based services.
 # Current testing is working in Azure using Hyper-V. We are currently using this for reference:
 # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
-- name: Set Fact If Cloud-Based System.
+- name: PRELIM | Set Fact If Cloud-Based System.
   ansible.builtin.set_fact:
       win19cis_cloud_based_system: true
   when:
@@ -36,16 +36,52 @@
   tags:
       - always
 
-- name: Get Windows installation type
+- name: PRELIM | Get Windows installation type
   ansible.windows.win_reg_stat:
       path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
       name: InstallationType
   register: get_windows_installation_type
   tags:
       - always
 
-- name: Set Windows installation type
+- name: PRELIM | Set Windows installation type
   ansible.builtin.set_fact:
       windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
   tags:
       - always
+
+- name: PRELIM | Obtatin And Load Default Hive As Well As User Hives
+  block:
+      - name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile)
+        ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT
+        changed_when: false
+        failed_when: false
+
+      - name: PRELIM | Pull All Username and SIDs
+        ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
+        changed_when: false
+        failed_when: false
+        register: all_users
+
+      - name: PRELIM | Create Results List Fact For Username And SIDs
+        ansible.builtin.set_fact:
+            username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}"
+
+      - name: PRELIM | Load All User Hives From Username And SIDs List
+        ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
+        changed_when: false
+        failed_when: false
+        loop: "{{ username_and_sid_results_list }}"
+
+      - name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS
+        ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
+        changed_when: false
+        failed_when: false
+        register: current_users_loaded_hku
+
+      - name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS
+        ansible.builtin.set_fact:
+            hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}"
+  when: win19cis_section19
+  tags:
+      - always

tasks/section01.yml

@@ -177,9 +177,7 @@
   ansible.builtin.import_tasks:
       file: section01_cloud_lockout_order.yml
   when:
-      - win19cis_cloud_based_system or
-        win2019cis_is_domain_controller or
-        win2019cis_is_domain_member
+      - win19cis_cloud_based_system
   tags:
       - section01_cloud_lockout_order
 
@@ -254,9 +252,7 @@
             - win19cis_account_lockout_counter_reset <= win19cis_account_lockout_duration
   when:
       - win19cis_rule_1_2_4
-      - not win19cis_cloud_based_system or
-        win2019cis_is_domain_controller or
-        win2019cis_is_domain_member
+      - not win19cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -288,9 +284,7 @@
         when: win19cis_account_lockout_duration >= 15
   when:
       - win19cis_rule_1_2_1
-      - not win19cis_cloud_based_system or
-        win2019cis_is_domain_controller or
-        win2019cis_is_domain_member
+      - not win19cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver

tasks/section01_cloud_lockout_order.yml

@@ -80,6 +80,7 @@
       value: "{{ win19cis_allow_admin_account_lockout }}"
   when:
       - win19cis_rule_1_2_3
+      - win2019cis_is_domain_member
   tags:
       - level1-memberserver
       - rule_1.2.3