implement until cis 2.3.2.2

Signed-off-by: Patrick Münch <[email protected]>

Author: atomic111

.kitchen.yml

@@ -26,6 +26,11 @@ suites:
     run_list:
       - recipe[windows-hardening::default]
     attributes:
+      account_status:
+        names:
+          - 'Guest'
+      rename_account:
+        admin_account: false
       security_policy:
         rights:
           SeNetworkLogonRight: '*S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551'

attributes/account.rb

@@ -0,0 +1,14 @@
+# encoding: utf-8
+
+# Cookbook Name:: windows-hardening
+# Attributes:: account
+
+# define which accounts should be disabled
+default['account_status']['names'] = ['Administrator', 'Guest']
+default['account_status']['active_yes_no'] = 'no'
+
+# define the new account names for Administrator and Guest
+default['rename_account']['admin_account'] = true
+default['rename_account']['guest_account'] = true
+default['rename_account']['new_admin_name'] = 'CustomAdminName'
+default['rename_account']['new_guest_name'] = 'CustomGuestName'

attributes/default.rb

@@ -6,3 +6,9 @@
 # set this value if you want to harden terminal services
 default['windows_hardening']['rdp']['harden'] = true
 default['windows_hardening']['smbv1']['disable'] = true
+
+# apply MS or DC configuration, possible values MS or DC
+default['default']['ms_or_dc'] = 'MS'
+
+# apply Level 1 or 2 configuration, possible values 1 or 2
+default['default']['level_1_or_2'] = 1

attributes/sec_policy.rb

@@ -0,0 +1,95 @@
+#
+# Cookbook Name:: windows-hardening
+# Recipe:: account_status
+#
+# Copyright (c) 2019 The Authors, All Rights Reserved.
+
+return unless node['platform_family'] == 'windows'
+
+# Ensure \'Accounts: Administrator account status\' is set to \'Disabled\'
+# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.1'
+# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.1'
+# Ensure \'Accounts: Guest account status\' is set to \'Disabled\'
+# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.3'
+# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.3'
+node['account_status']['names'].each do |name|
+  account_status "disable #{name} account" do
+    account_name name
+    value node['account_status']['active_yes_no']
+    action :set
+  end
+end
+
+# Ensure \'Accounts: Block Microsoft accounts\' is set to \'Users can\'t add or log on with Microsoft accounts\'
+# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.2'
+# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.2'
+registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' do
+  values [{
+    name: 'NoConnectedUser',
+    type: :dword,
+    data: 3
+  }]
+  action :create
+  recursive true
+end
+
+# Ensure \'Accounts: Limit local account use of blank passwords to console logon only\' is set to \'Enabled\'
+# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.4'
+# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.4'
+registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do
+  values [{
+    name: 'LimitBlankPasswordUse',
+    type: :dword,
+    data: 1
+  }]
+  action :create
+  recursive true
+end
+
+# Configure \'Accounts: Rename administrator account\'
+# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.5'
+# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.5'
+if node['rename_account']['admin_account'] == true
+  rename_account "rename Administrator name to #{node['rename_account']['new_admin_name']} account" do
+    original_name 'Administrator'
+    new_name node['rename_account']['new_admin_name']
+    action :set
+  end
+end
+
+# Configure \'Accounts: Rename guest account\'
+# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.1.6'
+# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.1.6'
+if node['rename_account']['guest_account'] == true
+  rename_account "rename Guest name to #{node['rename_account']['new_guest_name']} account" do
+    original_name 'Guest'
+    new_name node['rename_account']['new_guest_name']
+    action :set
+  end
+end
+
+# Ensure \'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\' is set to \'Enabled\'
+# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.2.1'
+# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.2.1'
+registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do
+  values [{
+    name: 'SCENoApplyLegacyAuditPolicy',
+    type: :dword,
+    data: 1
+  }]
+  action :create
+  recursive true
+end
+
+# Ensure \'Audit: Shut down system immediately if unable to log security audits\' is set to \'Disabled\'
+# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.2.2'
+# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.2.2'
+registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do
+  values [{
+    name: 'CrashOnAuditFail',
+    type: :dword,
+    data: 0
+  }]
+  action :create
+  recursive true
+end

recipes/accounts.rb

@@ -7,7 +7,10 @@
 return unless node['platform_family'] == 'windows'
 
 #include_recipe 'windows-hardening::password_policy'
+include_recipe 'windows-hardening::accounts'
 include_recipe 'windows-hardening::security_policy'
+include_recipe 'windows-hardening::devices'
+
 include_recipe 'windows-hardening::user_rights'
 include_recipe 'windows-hardening::audit'
 include_recipe 'windows-hardening::ie'

recipes/default.rb

@@ -0,0 +1,14 @@
+# Ensure \'Devices: Allowed to format and eject removable media\' is set to \'Administrators\'
+# tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '2.3.4.1'
+# tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '2.3.4.1'
+registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' do
+  values [{
+    name: 'AllocateDASD',
+    type: :dword,
+    data: 0
+  }]
+  action :create
+  recursive true
+end
+
+#

recipes/devices.rb

@@ -0,0 +1,18 @@
+resource_name :account_status
+
+property :account_status_name, String, name_property: true
+property :account_name, String, required: true
+property :value, String, required: true
+
+action :set do
+  execute new_resource.account_status_name do
+    command "net user #{new_resource.account_name} /active:#{new_resource.value}"
+    action :run
+    not_if { ::File.exist?("C:\\#{new_resource.account_name}_active_#{node['account_status']['active_yes_no']}.lock") }
+    notifies :create, "file[C:\\#{new_resource.account_name}_active_#{node['account_status']['active_yes_no']}.lock]", :immediately
+  end
+
+  file "C:\\#{new_resource.account_name}_active_#{node['account_status']['active_yes_no']}.lock" do
+    action :create
+  end
+end

resources/account_status.rb

@@ -0,0 +1,18 @@
+resource_name :rename_account
+
+property :rename_account_name, String, name_property: true
+property :original_name, String, required: true
+property :new_name, String, required: true
+
+action :set do
+  execute new_resource.rename_account_name do
+    command "wmic useraccount where name=\'#{new_resource.original_name}\' call rename name=\'#{new_resource.new_name}\'"
+    action :run
+    not_if { ::File.exist?("C:\\rename_#{new_resource.original_name}.lock") }
+    notifies :create, "file[C:\\rename_#{new_resource.original_name}.lock]", :immediately
+  end
+
+  file "C:\\rename_#{new_resource.original_name}.lock" do
+    action :create
+  end
+end

resources/rename_account.rb

@@ -2,4 +2,7 @@
   # we need to skip the test to ensure we can connect with non-administrator
   # winrm user for our tests
   attribute('se_network_logon_right', default: ['S-1-1-0', 'S-1-5-32-544', 'S-1-5-32-545', 'S-1-5-32-551'])
+  attribute('se_interactive_logon_right', default: ['S-1-5-32-544', 'S-1-5-9'])
+  attribute('se_remote_interactive_logon_right', default: ['S-1-1-0', 'S-1-5-32-544', 'S-1-5-32-545', 'S-1-5-32-551'])
+
 end