2.3.10.9 - Configure Network access Remotely accessible registry paths and sub-paths always includes CertSvc and WINS
Opened this issue · 0 comments
Describe the Issue
2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths always includes the CertSvc and WINS paths, but these paths should only be included when the corresponding roles are present on the server.
The recommended state for this setting is:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
The recommended state for servers that hold the Active Directory Certificate ServicesRole with Certification AuthorityRole Service includes the above list and:
System\CurrentControlSet\Services\CertSvc
The recommended state for servers that have the WINS ServerFeature installed includes the above list and:
System\CurrentControlSet\Services\WINS
Expected Behavior
The CertSvc and WINS path are only included in the remotely accessible registry paths and sub-paths when the corresponding features are installed
Actual Behavior
The CertSvc and WINS path are always included
Control(s) Affected
2.3.10.9
Possible Solution
- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
block:
- name: 2.3.10.9 | Set value for Configure Network access Remotely accessible registry paths and sub-paths"
ansible.builtin.set_fact:
remote_registry_paths: [
'System\CurrentControlSet\Control\Print\Printers',
'System\CurrentControlSet\Services\Eventlog',
'Software\Microsoft\OLAP Server',
'Software\Microsoft\Windows NT\CurrentVersion\Print',
'Software\Microsoft\Windows NT\CurrentVersion\Windows',
'System\CurrentControlSet\Control\ContentIndex',
'System\CurrentControlSet\Control\Terminal Server',
'System\CurrentControlSet\Control\Terminal Server\UserConfig',
'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
'System\CurrentControlSet\Services\SysmonLog'
]
- name: 2.3.10.9 | Check if AD Certificate Services feature is installed
community.windows.win_feature_info:
name: AD-Certificate
register: adcs_feature
- name: 2.3.10.9 | Add CertSvc to paths
ansible.builtin.set_fact:
remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}"
when: adcs_feature.features[0].installed
- name: 2.3.10.9 | Check if WINS feature is installed
community.windows.win_feature_info:
name: WINS
register: wins_feature
- name: 2.3.10.9 | Add WINS to paths
ansible.builtin.set_fact:
remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}"
when: wins_feature.features[0].installed
- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths
name: "Machine"
data: '{{ remote_registry_paths }}'
type: multistring
when:
- win19cis_rule_2_3_10_9
tags:
- level1-domaincontroller
- level1-memberserver
- rule_2.3.10.9
- patch