Script to compare Windows 10 => Windows 11 CIS Benchmarks

noahtalerman commented 1 year ago

Goal

User story
As a Fleet contributor,
I want to run a script that compares the Windows 10 and Windows 11 Enterprise CIS Benchmarks
so that I can get a list of which benchmarks were added, removed, or changed in Windows 11.

Changes

[ ] Write a script to compare the PDFs for Windows 10 to Windows 11 Enterprise so that we can see which rules (benchmarks) were added, removed, or changed in Windows 11.
- Use the name/title of each rule (ex. Ensure 'Enforce password history' is set to '24 or more password(s)') to compare and come up with the list.
- @noahtalerman Adding this (Please approve): Win11 yml file should be separate from the existing Win10. So in practice the two files could be used per the customer's decision.

Context

Fleet maintains policies for macOS 13 and Windows 10 CIS Benchmarks
Customers are asking for macOS 14 and Windows 11
Updating CIS Benchmarks takes a lot of manual work.
This story covers the manual work of finding which benchmarks changed.
The work for editing/writing the policies is covered by this separate story: #14907

sharon-fdm commented 1 year ago

I spoke with @defensivedepth and he is willing to take this. Need to discuss timelines.

sharon-fdm commented 1 year ago

@defensivedepth Please add all info in this central location.

defensivedepth commented 1 year ago

First cut. Is this what you are looking for?

I can make it more readable, divide into sections of New vs. Changed etc

Diff generated on: 2023-11-17

Win10: -- Win10
Win11: ++ Win11

@@ -288,3 +288,2 @@
Win10: 18.4.6 (L1) Ensure 'LSA Protection' is set to 'Enabled' (Automated)
Win10: 18.4.7 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'  (Automated)
Win10: 18.4.8 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' (Automated)
Win11: 18.4.6 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'  (Automated)
Win11: 18.4.7 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' (Automated)
@@ -310,2 +309,3 @@
Win10: 18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on  public networks' (Automated)
Win10: 18.6.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' (Automated)
Win11: 18.6.4.1 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or  higher (Automated)
Win11: 18.6.4.2 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on  public networks' (Automated)
Win11: 18.6.4.3 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' (Automated)
@@ -370,6 +370,7 @@
Win10: 18.9.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' (Automated)
Win10: 18.9.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to  'Secure Boot' or higher (Automated)
Win10: 18.9.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code  Integrity' is set to 'Enabled with UEFI lock' (Automated)
Win10: 18.9.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is  set to 'True (checked)' (Automated)
Win10: 18.9.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to  'Enabled with UEFI lock' (Automated)
Win10: 18.9.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to  'Enabled' (Automated)
Win11: 18.9.5.1 (L1) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' (Automated)
Win11: 18.9.5.2 (L1) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to  'Secure Boot' or higher (Automated)
Win11: 18.9.5.3 (L1) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code  Integrity' is set to 'Enabled with UEFI lock' (Automated)
Win11: 18.9.5.4 (L1) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set  to 'True (checked)' (Automated)
Win11: 18.9.5.5 (L1) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to  'Enabled with UEFI lock' (Automated)
Win11: 18.9.5.6 (L1) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to  'Enabled' (Automated)
Win11: 18.9.5.7 (L1) Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack  Protection' is set to 'Enabled: Enabled in enforcement mode' (Automated)
@@ -425 +426 @@
Win10: 18.9.25.2 (NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with  UEFI Lock' (Automated)
Win11: 18.9.25.2 (L1) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with  UEFI Lock' (Automated)
@@ -588,2 +589,3 @@
Win10: 18.10.29.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' (Automated)
Win10: 18.10.29.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' (Automated)
Win11: 18.10.29.3 (L2) Ensure 'Turn off files from Office.com in Quick access view' is set to 'Enabled' (Automated)
Win11: 18.10.29.4 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' (Automated)
Win11: 18.10.29.5 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' (Automated)
@@ -597 +598,0 @@
Win10: 18.10.35.1 (L1) 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always'  (Automated)
@@ -625,6 +626,6 @@
Win10: 18.10.44.1 (NG) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'  (Automated)
Win10: 18.10.44.2 (NG) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is  set to 'Disabled' (Automated)
Win10: 18.10.44.3 (NG) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to  'Disabled' (Automated)
Win10: 18.10.44.4 (NG) Ensure 'Allow files to download and save to the host operating system from Microsoft  Defender Application Guard' is set to 'Disabled' (Automated)
Win10: 18.10.44.5 (NG) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard  behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'  (Automated)
Win10: 18.10.44.6 (NG) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to  'Enabled: 1' (Automated)
Win11: 18.10.44.1 (L1) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'  (Automated)
Win11: 18.10.44.2 (L1) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is  set to 'Disabled' (Automated)
Win11: 18.10.44.3 (L1) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to  'Disabled' (Automated)
Win11: 18.10.44.4 (L1) Ensure 'Allow files to download and save to the host operating system from Microsoft  Defender Application Guard' is set to 'Disabled' (Automated)
Win11: 18.10.44.5 (L1) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard  behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'  (Automated)
Win11: 18.10.44.6 (L1) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to  'Enabled: 1' (Automated)
@@ -647 +648,2 @@
Win10: 18.10.57.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' (Automated)
Win11: 18.10.57.2.2 (L2) Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to  'Enabled' (Automated)
Win11: 18.10.57.2.3 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' (Automated)
@@ -696,0 +699,4 @@
Win11: 18.10.76.1.1 (L1) Ensure 'Notify Malicious' is set to 'Enabled' (Automated)
Win11: 18.10.76.1.2 (L1) Ensure 'Notify Password Reuse' is set to 'Enabled' (Automated)
Win11: 18.10.76.1.3 (L1) Ensure 'Notify Unsafe App' is set to 'Enabled' (Automated)
Win11: 18.10.76.1.4 (L1) Ensure 'Service Enabled' is set to 'Enabled' (Automated)
@@ -703,0 +710 @@
Win11: 18.10.79.1 (L1) Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1' (Automated)

sharon-fdm commented 1 year ago

@defensivedepth thanks. This is the changelog that we need. The script should be the final result for this ticket.

defensivedepth commented 1 year ago

@sharon-fdm Here is the script. I have confirmed it works for both Windows and the macOS benchmarks as well.

https://gist.github.com/defensivedepth/50da16f165968f70f611eea74c2fe693

sharon-fdm commented 1 year ago

Thanks @defensivedepth As agreed let's continue with implementing the changes on a separate Win11.yml I will send a ticket for that soon.

noahtalerman commented 10 months ago

I have confirmed it works for both Windows and the macOS benchmarks as well.

https://gist.github.com/defensivedepth/50da16f165968f70f611eea74c2fe693

@sharon-fdm will this script work for future updates to CIS policies? If so, I think we should bring this script into the Fleet repo.

What do you think?

noahtalerman commented 10 months ago

@sharon-fdm ping! Will this script work for future updates to CIS policies? If so, I think we should bring this script into the Fleet repo.

What do you think?

sharon-fdm commented 10 months ago

@noahtalerman, crap! I missed your question. Yes. The tool will be useful for future work and I added it here: https://github.com/fleetdm/fleet/blob/main/tools/cis/CIS-Benchmark-diff.py

noahtalerman commented 10 months ago

The tool will be useful for future work and I added it here: https://github.com/fleetdm/fleet/blob/main/tools/cis/CIS-Benchmark-diff.py

Cool! Thanks

fleet-release commented 10 months ago

Script compares, gleams, Windows benchmarks flow like streams. Clarity it brings.

fleetdm / fleet