Closed MattTunny closed 7 years ago
@MattTunny this is a great improvement. We need to make clear why we add those rules. Do we have any reference for those? Can you help me real quick and point me to the CIS or STIG rules?
ahh sorry forgot to add the entries they are from, I'll add them in the future with the commit or probably hashed out for each key so we can easily find them: Total CIS document: https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount This is sneaky one that was originally only for windows 10 but appears in server 2016 now and also now in fully patched 2012r2 servers. I don't think theres CIS documentation on this one yet, I'll have a look tomorrow at work if we have any. here some links on it: https://technet.microsoft.com/en-us/library/jj966262(v=ws.11).aspx http://www.top-password.com/blog/block-or-disable-microsoft-account-in-windows-10-8/ http://www.trainingtech.net/how-to-disable-microsoft-account-in-windows-10/
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000110 https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf CIS # - 18.9.61.1 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' (Scored) - Page 632
CIS # - 18.9.54.2 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' (Scored) - Page 625
I am going to add Windows 2016 support for this cookbook soon. We just need to make sure the settings work with Windows 2012 and 2012 R2. Is Windows Store available on Windows 2012, too?
@MattTunny I propose we add tests to the baseline before adding those features here.
Thank you @MattTunny
added privacy settings to stop microsoft online accounts bypassing local admins, windowsstore and the new search from finding encrypted files.
Theres a few more we could add in here that Microsoft have been adding lately, I think this is a good start to the big ones.