search

dev-sec / chef-windows-hardening

This chef cookbook provides windows hardening configurations for the DevSec Windows baseline profile.
http://dev-sec.io
96 stars 42 forks source link

Privacy settings #22

Closed MattTunny closed 7 years ago

MattTunny commented 7 years ago

added privacy settings to stop microsoft online accounts bypassing local admins, windowsstore and the new search from finding encrypted files.

Theres a few more we could add in here that Microsoft have been adding lately, I think this is a good start to the big ones.

chris-rock commented 7 years ago

@MattTunny this is a great improvement. We need to make clear why we add those rules. Do we have any reference for those? Can you help me real quick and point me to the CIS or STIG rules?

MattTunny commented 7 years ago

ahh sorry forgot to add the entries they are from, I'll add them in the future with the commit or probably hashed out for each key so we can easily find them: Total CIS document: https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf

Disable Microsoft Online Accounts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount This is sneaky one that was originally only for windows 10 but appears in server 2016 now and also now in fully patched 2012r2 servers. I don't think theres CIS documentation on this one yet, I'll have a look tomorrow at work if we have any. here some links on it: https://technet.microsoft.com/en-us/library/jj966262(v=ws.11).aspx http://www.top-password.com/blog/block-or-disable-microsoft-account-in-windows-10-8/ http://www.trainingtech.net/how-to-disable-microsoft-account-in-windows-10/

Disable Windows Store

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore

https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000110 https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf CIS # - 18.9.61.1 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' (Scored) - Page 632

Index of encrypted files

CIS # - 18.9.54.2 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' (Scored) - Page 625

chris-rock commented 7 years ago

I am going to add Windows 2016 support for this cookbook soon. We just need to make sure the settings work with Windows 2012 and 2012 R2. Is Windows Store available on Windows 2012, too?

chris-rock commented 7 years ago

@MattTunny I propose we add tests to the baseline before adding those features here.

chris-rock commented 7 years ago

Thank you @MattTunny