ansible-windows-hardening's Introduction

windows-hardening (Ansible Role)

Attention: This role has been migrated to our hardening-collection:

Please open any issues and pull requests there!

Requirements

Ansible 2.3.0

Variables

Name	Default Value	Description
`win_security_PasswordComplexity`	`1`	Flag that indicates whether the operating system MUST require that passwords meet complexity requirements. Default: True
`win_security_LockoutBadCount`	`4`	Number of failed logon attempts after which a user account MUST be locked out. Default: 4
`win_security_ResetLockoutCount`	`15`	Number of minutes after a failed logon attempt that the account MUST be locked out. Default: 15 minutes
`win_security_LockoutDuration`	`15`	The number of minutes that a locked-out account MUST remain locked out before automatically becoming unlocked. Default: 15 minutes
`win_security_SeRemoteInteractiveLogonRight`	`*S-1-5-32-544`	Determines which users or groups can access the logon screen of a remote computer through a RDP connection. Default: Administrators
`win_security_SeTcbPrivilege`	`*S-1-0-0`	Allows a process to authenticate like a user and thus gain access to the same resources as a user. Default: Nobody
`win_security_SeMachineAccountPrivilege`	`*S-1-5-32-544`	Allows the user to add a computer to a specific domain. Default: Administrators
`win_security_SeTrustedCredManAccessPrivilege`	``	Access Credential Manager as a trusted caller policy setting is used by Credential Manager during backup and restore. Default: No One
`win_security_SeNetworkLogonRight`	`*S-1-0-0`	Required for an account to log on using the network logon type. Default: Nobody

Example Playbook

    - hosts: localhost
      roles:
        - dev-sec.windows-hardening

Local Testing

For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.

We create multiple hosts - one linux host where Ansible runs on and the Windows hosts.

Next install test-kitchen:

# Install dependencies
gem install bundler
bundle install

Then you can run the playbook and tests:

# create the ansible and windows hosts
bundle exec kitchen create

# run ansible playbook on windows host
bundle exec kitchen converge default-ansibleserver

# verify windows machines
bundle exec kitchen verify windows

Contributing

See contributor guideline.

License and Author

Author:: Sebastian Gumprich

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

ansible-windows-hardening's People

Contributors

Stargazers

Watchers

ansible-windows-hardening's Issues

Publish to Ansible Galaxy

Is your feature request related to a problem? Please describe.
Today only the Linux configurations are published to Ansible Galaxy under the dev-sec community provider: https://galaxy.ansible.com/dev-sec

Describe the solution you'd like
It would be good to see the Windows Hardening playbook published in Galaxy.

Windows 2008 R2 Support

Hello,

My apologies to resorting to using a GitHub Issue to ask this question, but I'm couldn't find another method to contact the maintainers.

I am trying to find out if the Ansible, Chef, or Puppet versions support Windows Server 2008 R2. I completely understand it's EOL, etc. but we have legacy software that requires that operating system.

Any help is appreciate.

Interactive logon question

This isnt so much a "bug", I have a 2016 RDP host that will be used as a terminal server, but rather than logon with username password, users will be using their respective smart card. This works as expected prior to hardening, after hardening I get a prompt: the system administrator has restricted the types of logon (network or interactive) that you may use. I revert back to the snapshot taken prior to hardening and all is well.
I see you have have variables such as win_security_SeRemoteInteractiveLogonRight. I am listed in the local admins group prior to the change. Not sure after.
I tried with:
--extra-vars "win_security_SeNetworkLogonRight=S-1-1-0" and still had issues

dev-sec / ansible-windows-hardening Goto Github PK