2.3.10.9 - Configure Network access Remotely accessible registry paths and sub-paths always includes CertSvc and WINS

[Crombell95]

Describe the Issue 2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths always includes the CertSvc and WINS paths, but these paths should only be included when the corresponding roles are present on the server.

The recommended state for this setting is: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog

The recommended state for servers that hold the Active Directory Certificate ServicesRole with Certification AuthorityRole Service includes the above list and: System\CurrentControlSet\Services\CertSvc

The recommended state for servers that have the WINS ServerFeature installed includes the above list and: System\CurrentControlSet\Services\WINS

Expected Behavior The CertSvc and WINS path are only included in the remotely accessible registry paths and sub-paths when the corresponding features are installed

Actual Behavior The CertSvc and WINS path are always included

Control(s) Affected 2.3.10.9

Possible Solution

- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
  block:
      - name: 2.3.10.9 | Set value for Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.builtin.set_fact:
            remote_registry_paths: [
                'System\CurrentControlSet\Control\Print\Printers',
                'System\CurrentControlSet\Services\Eventlog',
                'Software\Microsoft\OLAP Server',
                'Software\Microsoft\Windows NT\CurrentVersion\Print',
                'Software\Microsoft\Windows NT\CurrentVersion\Windows',
                'System\CurrentControlSet\Control\ContentIndex',
                'System\CurrentControlSet\Control\Terminal Server',
                'System\CurrentControlSet\Control\Terminal Server\UserConfig',
                'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
                'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
                'System\CurrentControlSet\Services\SysmonLog'
            ]

      - name: 2.3.10.9 | Check if AD Certificate Services feature is installed
        community.windows.win_feature_info:
            name: AD-Certificate
        register: adcs_feature

      - name: 2.3.10.9 | Add CertSvc to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}"
        when: adcs_feature.features[0].installed

      - name: 2.3.10.9 | Check if WINS feature is installed
        community.windows.win_feature_info:
            name: WINS
        register: wins_feature

      - name: 2.3.10.9 | Add WINS to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}"
        when: wins_feature.features[0].installed

      - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.windows.win_regedit:
            path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths
            name: "Machine"
            data: '{{ remote_registry_paths }}'
            type: multistring
  when:
      - win19cis_rule_2_3_10_9
  tags:
      - level1-domaincontroller
      - level1-memberserver
      - rule_2.3.10.9
      - patch