Control 18.10.43.10.2 Misconfigured

natilik-mikeguy commented 9 months ago

Describe the Issue Under the following file... https://github.com/ansible-lockdown/Windows-2022-CIS/blob/devel/tasks/section18.yml you have the following code:

- name: "18.10.43.10.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'"
  ansible.windows.win_regedit:
      path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
      name: DisableRealtimeMonitoring
      data: 1
      datatype: dword

I believe this is actually doing the opposite of what is intended. This was brought to my attention by an incident created in Microsoft Defender for Endpoint. It flagged a high severity incident that Ansible was disabling Defender protection.

Expected Behavior I believe this should be setting the dword value to 0 as highlighted here...

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring

I can see the confusion with the use of Disabled/Enabled. But when Enabled (dword value 1) you are Enabling the Disabling of the setting. i.e. DisableRealtimeMonitoring = true.

Registry Hive | HKEY_LOCAL_MACHINE
Registry Path | Software\Policies\Microsoft\Windows Defender\Real-Time Protection
Value Name | DisableRealtimeMonitoring
Value Type | REG_DWORD
Enabled Value | 1
Disabled Value | 0

Control(s) Affected 18.10.43.10.2

Environment (please complete the following information):

Using git tag 2.0.0. Have checked latest devel and it is still the same.

frederickw082922 commented 9 months ago

Good day @natilik-mikeguy

Great catch and breakdown!! Thank you!!

We will update the Control in the next release!!

CC: @MrSteve81

frederickw082922 commented 8 months ago

Merged fix in #29

ansible-lockdown / Windows-2022-CIS

Control 18.10.43.10.2 Misconfigured #28