search

ansible-lockdown / Windows-11-CIS

CIS Baseline Ansible Role for Windows 11 Enterprise
http://www.lockdownenterprise.com
MIT License
3 stars 3 forks source link

CIS rule 5.3 disables incorrect service #12

Open dwierima-aspentech opened 2 months ago

dwierima-aspentech commented 2 months ago

Describe the Issue CIS rule 5.3 is intended to disable the computer browser (browser) service, however it incorrectly disables the browser (bowser) service. The browser (bowser) service is a dependency for the workstation service, which causes all sorts of issues including causing the workstation to be unable to connect to SMB shares.

This appears to be because the ansible.windows.win_service and win_service_info modules will use the name parameter to mean either display name or internal name. This can be seen in the documentation for the win_service_info module: link This causes an issue with the computer browser (browser) and browser (bowser) services because the internal name of computer browser (browser) is browser, which matches the display name of browser (bowser), browser.

This 'name collision' causes the browser (bowser) service to be incorrectly disabled if computer browser (browser) is not installed (which is provided by SAMBA1.0/CIFS file support). This is the case by default for Windows 10 1709 and newer and all versions of Windows 11.

Expected Behavior If computer browser is installed that service is disabled. Otherwise nothing happens.

Actual Behavior If computer browser is not installed the browser service is getting disabled.

See below for emperical evidence that Ansible will accept both display name and internal name for a service: This is the Ansible code I used to debug this issue:

- name: DEBUG Browser Service
  block:
    - name: Get browser service info
      ansible.windows.win_service_info:
        name: Browser
      register: browser_service_info

    - name: Output browser service info
      ansible.builtin.debug:
        msg: '{{  browser_service_info }}'

- name: DEBUG Computer Browser Service
  block:
    - name: Get computer browser service info
      ansible.windows.win_service_info:
        name: Computer Browser
      register: computer_browser_service_info

    - name: Output computer browser service info
      ansible.builtin.debug:
        msg: '{{  computer_browser_service_info }}'

Which produced this output:

TASK [win_wks_min_config : Get browser service info] *****
ok: [wks1]

TASK [win_wks_min_config : Output browser service info] ***
ok: [wks1] => 
  msg:
    changed: false
    exists: true
    failed: false
    services:
    - checkpoint: 0
      controls_accepted:
      - stop
      dependencies:
      - LanmanWorkstation
      - LanmanServer
      dependency_of: []
      description: Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
      desktop_interact: false
      display_name: Computer Browser
      error_control: normal
      failure_actions:
      - delay_ms: 120000
        type: restart
      - delay_ms: 300000
        type: restart
      - delay_ms: 0
        type: none
      failure_actions_on_non_crash_failure: false
      failure_command: null
      failure_reboot_msg: null
      failure_reset_period_sec: 900
      launch_protection: none
      load_order_group: NetworkProvider
      name: Browser
      path: C:\Windows\System32\svchost.exe -k netsvcs -p
      pre_shutdown_timeout_ms: 10000
      preferred_node: null
      process_id: 2576
      required_privileges: []
      service_exit_code: 0
      service_flags: []
      service_type: win32_share_process
      sid_info: none
      start_mode: manual
      state: started
      triggers:
      - action: start_service
        data_items:
        - data:
          - '139'
          - TCP
          - System
          type: string
        - data:
          - '137'
          - UDP
          - System
          type: string
        - data:
          - '138'
          - UDP
          - System
          type: string
        sub_type: firewall_port_open
        sub_type_guid: b7569e07-8421-4ee0-ad10-86915afdad09
        type: firewall_port_event
      - action: stop_service
        data_items:
        - data:
          - '139'
          - TCP
          - System
          type: string
        - data:
          - '137'
          - UDP
          - System
          type: string
        - data:
          - '138'
          - UDP
          - System
          type: string
        sub_type: firewall_port_close
        sub_type_guid: a144ed38-8e12-4de4-9d96-e64740b1a524
        type: firewall_port_event
      username: NT AUTHORITY\SYSTEM
      wait_hint_ms: 0
      win32_exit_code: 0

TASK [win_wks_min_config : Get computer browser service info] *****
ok: [wks1]

TASK [win_wks_min_config : Output computer browser service info] ***
ok: [wks1] => 
  msg:
    changed: false
    exists: true
    failed: false
    services:
    - checkpoint: 0
      controls_accepted:
      - stop
      dependencies:
      - LanmanWorkstation
      - LanmanServer
      dependency_of: []
      description: Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
      desktop_interact: false
      display_name: Computer Browser
      error_control: normal
      failure_actions:
      - delay_ms: 120000
        type: restart
      - delay_ms: 300000
        type: restart
      - delay_ms: 0
        type: none
      failure_actions_on_non_crash_failure: false
      failure_command: null
      failure_reboot_msg: null
      failure_reset_period_sec: 900
      launch_protection: none
      load_order_group: NetworkProvider
      name: Browser
      path: C:\Windows\System32\svchost.exe -k netsvcs -p
      pre_shutdown_timeout_ms: 10000
      preferred_node: null
      process_id: 2576
      required_privileges: []
      service_exit_code: 0
      service_flags: []
      service_type: win32_share_process
      sid_info: none
      start_mode: manual
      state: started
      triggers:
      - action: start_service
        data_items:
        - data:
          - '139'
          - TCP
          - System
          type: string
        - data:
          - '137'
          - UDP
          - System
          type: string
        - data:
          - '138'
          - UDP
          - System
          type: string
        sub_type: firewall_port_open
        sub_type_guid: b7569e07-8421-4ee0-ad10-86915afdad09
        type: firewall_port_event
      - action: stop_service
        data_items:
        - data:
          - '139'
          - TCP
          - System
          type: string
        - data:
          - '137'
          - UDP
          - System
          type: string
        - data:
          - '138'
          - UDP
          - System
          type: string
        sub_type: firewall_port_close
        sub_type_guid: a144ed38-8e12-4de4-9d96-e64740b1a524
        type: firewall_port_event
      username: NT AUTHORITY\SYSTEM
      wait_hint_ms: 0
      win32_exit_code: 0

As you can see, despite using 2 different service names, it retrieved info for the same service twice.

Control(s) Affected 5.3 Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'

Environment (please complete the following information):

Additional Notes It's worth noting I haven't tried running this role against a workstation with computer browser installed. So I'm not sure what the behavior of this control is against a workstation that has both the computer browser and browser service installed. However, this combination is unlikely given that Windows 11 doesn't include computer browser by default.

It's also worth noting that this will likely solve the error message noted in the comments for 5.3. The error message states that the workstation service isn't running, and the workstation service depends on the browser service.

Possible Solution Change the control to use the display name of computer browser. This avoids the 'name collision' between the computer browser and browser services.

It also might be worth submitting something upstream to the Ansible Windows maintainers to make the win_service* modules' name parameter use either only the display name or the internal name, not either.

dwierima-aspentech commented 2 months ago

Note; I submitted this same issue to Windows 10 as well: link, because the same issue is occuring on both operating systems.