search

ansible-lockdown / Windows-2019-CIS

CIS Baseline Ansible Role for Windows 2019
MIT License
134 stars 72 forks source link

Windows 2019 uses 2016 CIS by mistake #65

Closed IPvFletch closed 1 year ago

IPvFletch commented 1 year ago

The 2019 repo uses the 2016 Windows guide. https://github.com/ansible-lockdown/Windows-2019-CIS

Based on [CIS Microsoft Windows Server 2019 Benchmark v1.3.0 - 03-18-2022](https://learn.cisecurity.org/l/799323/2022-03-15/rshpk)

But that link takes you to download CIS_Microsoft_Windows_Server_2016_Benchmark_v1.4.0.pdf

This in itself is not a big deal, but... The rest of the lockdown playbook uses the 2016 guide, not the 2019 guide.

For instance:

https://github.com/ansible-lockdown/Windows-2019-CIS/blob/devel/tasks/section01.yml - name: "1.1.6 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled"

Which is what CIS Windows 2016 has:

Screenshot 2023-03-14 at 10 46 23 AM

But CIS Windows 2019 is different:

Screenshot 2023-03-14 at 10 45 16 AM
MrSteve81 commented 1 year ago

Thank you for catching that I am actually in the process of updating this branch heavily and have been checking each individual control against the new benchmarks. I have this ear marked already in my changes. I have not pushed a update to my branch yet with the changes.

IPvFletch commented 1 year ago

great news - lmk if we can test out a branch with the fixes!

MrSteve81 commented 1 year ago

@IPvFletch Updates took longer then expected plus added a bunch of new variables, but they are complete and will do full testing on Monday and then start work on the matching audit files. Lots of changes to this release so I will test as much as I can.

MrSteve81 commented 1 year ago

Merged to devel audit has not been done yet.