Skip to content

canihavethisone/cis_security_hardening_windows

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits

.github/workflows

.github/workflows

 
 

.vscode

.vscode

 
 

data

data

 
 

files

files

 
 

lib/facter

lib/facter

 
 

manifests

manifests

 
 

spec

spec

 
 

.fixtures.yml

.fixtures.yml

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.pdkignore

.pdkignore

 
 

.puppet-lint.rc

.puppet-lint.rc

 
 

.rspec

.rspec

 
 

.rubocop.yml

.rubocop.yml

 
 

.sync.yml

.sync.yml

 
 

.yardopts

.yardopts

 
 

CHANGELOG.md

CHANGELOG.md

 
 

Gemfile

Gemfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

REFERENCE.md

REFERENCE.md

 
 

Rakefile

Rakefile

 
 

hiera.yaml

hiera.yaml

 
 

metadata.json

metadata.json

 
 

pdk.yaml

pdk.yaml

 
 

Repository files navigation

build status

cis_security_hardening_windows

Table of Contents

  1. Overview
  2. Description
  3. Building on CIS controls
  4. Beginning with os_hardening
  5. CIS Enforcement Levels
  6. Reference
  7. Development
  8. Release Notes

Overview

This module applies CIS benchmark hardening to:

  • Windows 10: Configurable, defaulted to domain-joined Level 1 & 2 + NG + BL (currently v3.0.0)
  • Windows 11: Configurable, defaulted to domain-joined Level 1 & 2 + BL (currently v3.0.0)

It also configures additional system resources as described below

Description

Windows CIS controls and other resources are applied using registry, security policy, audit policy, optional local group policy (for HKCU controls), execs and dependency modules.

Building on CIS controls

Additional resources are also defined, including:

Windows 10 / 11

  • remote desktop
  • users
  • firewall (limited)

Other Windows 10 / 11 parameters include:

  • cis_profile_type
  • cis_enforcement_level
  • cis_include_bitlocker
  • cis_include_nextgen
  • cis_exclude_rules
  • catalog_no_cache
  • clear_temp_files
  • enable_administrator
  • purge_unmanaged_users
  • performance_powerscheme
  • enable_remote_desktop

Defence in-depth

This module takes a defence in-depth approach, with the following built-in functions:

  • undefined users are purged (except system users)
  • where CIS recommendations have more than 1 acceptable setting, the more stringent is used

Beginning with cis_security_hardening_windows

To use this module, include cis_security_hardening_windows in your Node Classifier (ENC) or wrapping class.

At minimum, the following hiera must be provided to the module:

Windows 10 / 11:

  • cis_security_hardening_windows::logon_banner (string)
  • cis_security_hardening_windows::logon_message (string)
  • cis_security_hardening_windows::disabled_administrator_newname (string)
  • cis_security_hardening_windows::disabled_administrator_newpassword (string)
  • cis_security_hardening_windows::disabled_guest_newname (string)
  • cis_security_hardening_windows::users (hash) is required as built-in administrator will be disabled

See example minimum hiera data here

CIS Enforcement Levels

  • All recommended domain-joined Level 1 & 2 + NG + BL CIS controls are enforced by default using module hiera (standalone selectable)
  • HKCU registry entries are also optionally applied by copying a preconfigured Registry.pol file to C:/Windows/System32/GroupPolicy/
  • Comments in module hiera identify the objective of each setting however CIS reference numbers are not shown as they are subject to change
  • Profile Type, Enforcement Level (1 or 2 (1+2)), BitLocker (BL), NextGen (NG) and HKCU policy inclusion are parameterised: 
    cis_security_hardening_windows::cis_profile_type:      'domain'
cis_security_hardening_windows::cis_enforcement_level: 2
cis_security_hardening_windows::cis_include_bitlocker: true
cis_security_hardening_windows::cis_include_nextgen:   true
cis_security_hardening_windows::cis_include_hkcu:      true
  • A reference list of rules enforced via the system registry is in the hiera folder for each Windows version, eg here. Note that some additional rules are applied by Local Security Policy and Audit Policy resources however.
  • Individual controls can be overridden by any of the following methods:
    • creating a optional hiera array for cis_security_hardening_windows::cis_exclude_rules containing rule titles to be subtracted from the default included hashes (note however that some rules are enforced by the local_security_policy or windows_firewall modules): 
      cis_security_hardening_windows::cis_exclude_rules:
  - "(L1) Ensure 'Allow users to enable online speech recognition services is set to 'Disabled'"
  - "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'"
    • creating a hiera hash containing registry keys with different values at a higher precedence (eg domain or node) and titled any of: 
      cis_security_hardening_windows::cis_level_1    (or windows_standalone)
cis_security_hardening_windows::cis_level_2    (or windows_standalone)
cis_security_hardening_windows::cis_bitlocker  (or windows_standalone)
cis_security_hardening_windows::cis_nextgen    (or windows_standalone)
    • other methods such as resource collectors to override registry key values if wrapping this module into your own classes

Reference

See the Puppet Strings documentation.

Development

Github repo is available for contributions at https://github.com/canihavethisone/cis_security_hardening_windows

Release Notes

See changelog

About

CIS (Center for Internet Security) Hardening for Windows 10 & 11 using Puppet

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages