search

ansible-lockdown / Windows-2019-CIS

CIS Baseline Ansible Role for Windows 2019
MIT License
130 stars 72 forks source link

Wrong check in the control 9.3.5 #13

Closed Julieeeen closed 3 years ago

Julieeeen commented 3 years ago

The control check the data 1 instead of 0

georgenalen commented 3 years ago

Hello, I'm going through the issues and this one I have a question about. There is possibly a typo in the body of it so I want to make sure I have my head around the issue itself. Looking at the control we should be setting the apply local firewall rules to no, which is setting the AllowLocalPolicyMerge to no. Looking at some documentation 0 is no. It doesn't look like MS has documentation for the PublicProfile entries but it does for the other two and they have the same setting and it looks like 0=no. I also found an older version of the CIS in STIG viewer that has a better description of the fix for that control and that has it being set to 0. I want to make sure I'm not mis-interpreting the issue or the documentation before going forward with this one since I could be wrong on it.

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2c979624-900a-4b6e-b4ef-09b387cd62ab

Julieeeen commented 3 years ago

Hi

I have double checked on CIS web site. the artefact is :

Hive: HKEY_LOCAL_MACHINE
Key Operator: case insensitive equals
Key: Software\Policies\Microsoft\WindowsFirewall\PublicProfile
Name: AllowLocalPolicyMerge
Existence: at_least_one_exists
Registry View: default
Registry Data Type: reg_dword
Operator: equals
Value Data Type: int
Value: 0
Criteria: all

Looks like it's a new control published 1 week ago.

I will so do some extra check on my side.

georgenalen commented 3 years ago

OK I think we are good here. I see the initial comment was edited where it was set to 1 and should be 0. Looking at the control it is set to 0. So I think everything is good, I have the control pasted below to confirm I'm not missing something.