From be3a0af85e8f997e94eb6570dc4c06d8844df27f Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Wed, 26 Jun 2024 12:12:30 -0400
Subject: [PATCH 01/22] Adding Windows 11 SCT baseline
---
ash-windows/sct/Windows_11/audit.csv | 24 ++
ash-windows/sct/Windows_11/gpttmpl.yml | 188 +++++++++
ash-windows/sct/Windows_11/init.sls | 1 +
.../sct/Windows_11/machine_registry.yml | 379 ++++++++++++++++++
ash-windows/sct/Windows_11/user_registry.yml | 8 +
5 files changed, 600 insertions(+)
create mode 100644 ash-windows/sct/Windows_11/audit.csv
create mode 100644 ash-windows/sct/Windows_11/gpttmpl.yml
create mode 100644 ash-windows/sct/Windows_11/init.sls
create mode 100644 ash-windows/sct/Windows_11/machine_registry.yml
create mode 100644 ash-windows/sct/Windows_11/user_registry.yml
diff --git a/ash-windows/sct/Windows_11/audit.csv b/ash-windows/sct/Windows_11/audit.csv
new file mode 100644
index 0000000..05cae4d
--- /dev/null
+++ b/ash-windows/sct/Windows_11/audit.csv
@@ -0,0 +1,24 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
diff --git a/ash-windows/sct/Windows_11/gpttmpl.yml b/ash-windows/sct/Windows_11/gpttmpl.yml
new file mode 100644
index 0000000..bd597aa
--- /dev/null
+++ b/ash-windows/sct/Windows_11/gpttmpl.yml
@@ -0,0 +1,188 @@
+- name: LSAAnonymousNameLookup
+ policy_type: secedit
+ value: '0'
+- name: SeSecurityPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRestorePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeTakeOwnershipPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeBackupPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeDenyRemoteInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-113'
+- name: SeCreatePermanentPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeManageVolumePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLoadDriverPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLockMemoryPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeDenyNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-113'
+- name: SeNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-32-555'
+- name: SeImpersonatePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20'
+- name: SeCreateTokenPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeCreateGlobalPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20'
+- name: SeSystemEnvironmentPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreatePagefilePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-32-545'
+- name: SeRemoteShutdownPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeDebugPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeTrustedCredManAccessPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeProfileSingleProcessPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeTcbPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeEnableDelegationPrivilege
+ policy_type: secedit
+ value: ''
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
+ policy_type: regpol
+ value: '1'
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
+ policy_type: regpol
+ value: '900'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
+ policy_type: regpol
+ value: '5'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
+ policy_type: regpol
+ value: O:BAG:BAD:(A;;RC;;;BA)
+ vtype: SZ
diff --git a/ash-windows/sct/Windows_11/init.sls b/ash-windows/sct/Windows_11/init.sls
new file mode 100644
index 0000000..53afed9
--- /dev/null
+++ b/ash-windows/sct/Windows_11/init.sls
@@ -0,0 +1 @@
+{#- Placeholder init file #}
diff --git a/ash-windows/sct/Windows_11/machine_registry.yml b/ash-windows/sct/Windows_11/machine_registry.yml
new file mode 100644
index 0000000..b4d8703
--- /dev/null
+++ b/ash-windows/sct/Windows_11/machine_registry.yml
@@ -0,0 +1,379 @@
+- key: Computer\Software\Microsoft\WcmSvc\wifinetworkmanager\config\AutoConnectAllowedOEM
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
+ policy_type: regpol
+ value: '255'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\AppPrivacy\LetAppsActivateWithVoiceAboveLock
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\CloudContent\DisableWindowsConsumerFeatures
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize
+ policy_type: regpol
+ value: '196608'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\GameDVR\AllowGameDVR
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL
+ policy_type: regpol
+ value: RequireMutualAuthentication=1,RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON
+ policy_type: regpol
+ value: RequireMutualAuthentication=1,RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging
+ policy_type: regpol
+- key: Computer\Software\Policies\Microsoft\Windows\System\AllowDomainPINLogon
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel
+ policy_type: regpol
+ value: Block
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fBlockNonDomain
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fUseMailto
+ policy_type: regpol
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowFullControl
+ policy_type: regpol
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiry
+ policy_type: regpol
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiryUnits
+ policy_type: regpol
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PolicyVersion
+ policy_type: regpol
+ value: '538'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogDroppedPackets
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFileSize
+ policy_type: regpol
+ value: '16384'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogSuccessfulConnections
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogSuccessfulConnections
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogDroppedPackets
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogFileSize
+ policy_type: regpol
+ value: '16384'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogFileSize
+ policy_type: regpol
+ value: '16384'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogDroppedPackets
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogSuccessfulConnections
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft Services\AdmPwd\AdmPwdEnabled
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start
+ policy_type: regpol
+ value: '4'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NodeType
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
diff --git a/ash-windows/sct/Windows_11/user_registry.yml b/ash-windows/sct/Windows_11/user_registry.yml
new file mode 100644
index 0000000..73858f2
--- /dev/null
+++ b/ash-windows/sct/Windows_11/user_registry.yml
@@ -0,0 +1,8 @@
+- key: User\Software\Policies\Microsoft\Windows\CloudContent\DisableThirdPartySuggestions
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: User\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\NoToastApplicationNotificationOnLockScreen
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
From d2e8e33adc24fa620251833592519a5da69434b3 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Wed, 26 Jun 2024 12:14:03 -0400
Subject: [PATCH 02/22] Adding Windows Server 2022 SCT DC and MS baselines
---
.../sct/Windows_2022Server_DC/audit.csv | 30 ++
.../sct/Windows_2022Server_DC/gpttmpl.yml | 189 ++++++++++
.../sct/Windows_2022Server_DC/init.sls | 1 +
.../machine_registry.yml | 327 ++++++++++++++++++
.../Windows_2022Server_DC/user_registry.yml | 1 +
.../sct/Windows_2022Server_MS/audit.csv | 24 ++
.../sct/Windows_2022Server_MS/gpttmpl.yml | 188 ++++++++++
.../sct/Windows_2022Server_MS/init.sls | 1 +
.../machine_registry.yml | 255 ++++++++++++++
.../Windows_2022Server_MS/user_registry.yml | 1 +
10 files changed, 1017 insertions(+)
create mode 100644 ash-windows/sct/Windows_2022Server_DC/audit.csv
create mode 100644 ash-windows/sct/Windows_2022Server_DC/gpttmpl.yml
create mode 100644 ash-windows/sct/Windows_2022Server_DC/init.sls
create mode 100644 ash-windows/sct/Windows_2022Server_DC/machine_registry.yml
create mode 100644 ash-windows/sct/Windows_2022Server_DC/user_registry.yml
create mode 100644 ash-windows/sct/Windows_2022Server_MS/audit.csv
create mode 100644 ash-windows/sct/Windows_2022Server_MS/gpttmpl.yml
create mode 100644 ash-windows/sct/Windows_2022Server_MS/init.sls
create mode 100644 ash-windows/sct/Windows_2022Server_MS/machine_registry.yml
create mode 100644 ash-windows/sct/Windows_2022Server_MS/user_registry.yml
diff --git a/ash-windows/sct/Windows_2022Server_DC/audit.csv b/ash-windows/sct/Windows_2022Server_DC/audit.csv
new file mode 100644
index 0000000..96e6b70
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_DC/audit.csv
@@ -0,0 +1,30 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Kerberos Authentication Service,{0cce9242-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Kerberos Service Ticket Operations,{0cce9240-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Directory Service Access,{0cce923b-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Directory Service Changes,{0cce923c-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
diff --git a/ash-windows/sct/Windows_2022Server_DC/gpttmpl.yml b/ash-windows/sct/Windows_2022Server_DC/gpttmpl.yml
new file mode 100644
index 0000000..a1bfa0e
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_DC/gpttmpl.yml
@@ -0,0 +1,189 @@
+- name: LSAAnonymousNameLookup
+ policy_type: secedit
+ value: '0'
+- name: SeSecurityPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreateTokenPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeTrustedCredManAccessPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeRemoteInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreatePagefilePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRemoteShutdownPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLoadDriverPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRestorePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreateGlobalPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20'
+- name: SeManageVolumePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeEnableDelegationPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreatePermanentPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeDebugPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeProfileSingleProcessPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeBackupPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-11,*S-1-5-9'
+- name: SeImpersonatePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20'
+- name: SeSystemEnvironmentPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLockMemoryPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeTcbPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeTakeOwnershipPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
+ policy_type: regpol
+ value: '900'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
+ policy_type: regpol
+ value: '1'
+ vtype: SZ
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
+ policy_type: regpol
+ value: '5'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
diff --git a/ash-windows/sct/Windows_2022Server_DC/init.sls b/ash-windows/sct/Windows_2022Server_DC/init.sls
new file mode 100644
index 0000000..53afed9
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_DC/init.sls
@@ -0,0 +1 @@
+{#- Placeholder init file #}
diff --git a/ash-windows/sct/Windows_2022Server_DC/machine_registry.yml b/ash-windows/sct/Windows_2022Server_DC/machine_registry.yml
new file mode 100644
index 0000000..d923acf
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_DC/machine_registry.yml
@@ -0,0 +1,327 @@
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
+ policy_type: regpol
+ value: '255'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize
+ policy_type: regpol
+ value: '196608'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON
+ policy_type: regpol
+ value: RequireMutualAuthentication=1,RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL
+ policy_type: regpol
+ value: RequireMutualAuthentication=1,RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging
+ policy_type: regpol
+- action: CREATEKEY
+ key: Computer\Software\Policies\Microsoft\Windows\Safer\*
+ policy_type: regpol
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Appx\EnforcementMode
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Appx\AllowWindows
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Appx\a9e18c21-ff8f-43cf-b9fc-db40eed693ba\Value
+ policy_type: regpol
+ value: \r\n
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Dll\AllowWindows
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\EnforcementMode
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\AllowWindows
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\61bd6501-5227-446f-b233-faffc7620c58\Value
+ policy_type: regpol
+ value: \r\n
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\61cc3c42-eee8-438a-8c78-a80da093d621\Value
+ policy_type: regpol
+ value: \r\n
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\6676be6c-419b-41a8-8943-39715b98f77a\Value
+ policy_type: regpol
+ value: \r\n
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\881d54fe-3848-4d6a-95fd-42d48ebe60b8\Value
+ policy_type: regpol
+ value: \r\n
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\921cc481-6e17-4653-8f75-050b80acca20\Value
+ policy_type: regpol
+ value: \r\n
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51\Value
+ policy_type: regpol
+ value: \r\n
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\fd686d83-a829-4351-8ff4-27c7de5755d2\Value
+ policy_type: regpol
+ value: \r\n
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Msi\AllowWindows
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Script\AllowWindows
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel
+ policy_type: regpol
+ value: Block
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PolicyVersion
+ policy_type: regpol
+ value: '538'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start
+ policy_type: regpol
+ value: '4'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NodeType
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
diff --git a/ash-windows/sct/Windows_2022Server_DC/user_registry.yml b/ash-windows/sct/Windows_2022Server_DC/user_registry.yml
new file mode 100644
index 0000000..fe51488
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_DC/user_registry.yml
@@ -0,0 +1 @@
+[]
diff --git a/ash-windows/sct/Windows_2022Server_MS/audit.csv b/ash-windows/sct/Windows_2022Server_MS/audit.csv
new file mode 100644
index 0000000..05cae4d
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_MS/audit.csv
@@ -0,0 +1,24 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
diff --git a/ash-windows/sct/Windows_2022Server_MS/gpttmpl.yml b/ash-windows/sct/Windows_2022Server_MS/gpttmpl.yml
new file mode 100644
index 0000000..961c07b
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_MS/gpttmpl.yml
@@ -0,0 +1,188 @@
+- name: LSAAnonymousNameLookup
+ policy_type: secedit
+ value: '0'
+- name: SeSecurityPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreateTokenPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeTrustedCredManAccessPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeCreatePagefilePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRemoteShutdownPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLoadDriverPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRestorePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreateGlobalPrivilege
+ policy_type: secedit
+ value: '*S-1-5-20,*S-1-5-19,*S-1-5-6,*S-1-5-32-544'
+- name: SeManageVolumePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeEnableDelegationPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeCreatePermanentPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeDebugPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeProfileSingleProcessPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeBackupPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-11,*S-1-5-32-544'
+- name: SeDenyNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-114'
+- name: SeImpersonatePrivilege
+ policy_type: secedit
+ value: '*S-1-5-20,*S-1-5-19,*S-1-5-6,*S-1-5-32-544'
+- name: SeSystemEnvironmentPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLockMemoryPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeTcbPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeTakeOwnershipPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeDenyRemoteInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-113'
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
+ policy_type: regpol
+ value: O:BAG:BAD:(A;;RC;;;BA)
+ vtype: SZ
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
+ policy_type: regpol
+ value: '5'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
+ policy_type: regpol
+ value: '1'
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
+ policy_type: regpol
+ value: '900'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
diff --git a/ash-windows/sct/Windows_2022Server_MS/init.sls b/ash-windows/sct/Windows_2022Server_MS/init.sls
new file mode 100644
index 0000000..53afed9
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_MS/init.sls
@@ -0,0 +1 @@
+{#- Placeholder init file #}
diff --git a/ash-windows/sct/Windows_2022Server_MS/machine_registry.yml b/ash-windows/sct/Windows_2022Server_MS/machine_registry.yml
new file mode 100644
index 0000000..3d9fa35
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_MS/machine_registry.yml
@@ -0,0 +1,255 @@
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
+ policy_type: regpol
+ value: '255'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize
+ policy_type: regpol
+ value: '196608'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL
+ policy_type: regpol
+ value: RequireMutualAuthentication=1,RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON
+ policy_type: regpol
+ value: RequireMutualAuthentication=1,RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging
+ policy_type: regpol
+- key: Computer\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel
+ policy_type: regpol
+ value: Block
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PolicyVersion
+ policy_type: regpol
+ value: '538'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft Services\AdmPwd\AdmPwdEnabled
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start
+ policy_type: regpol
+ value: '4'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NodeType
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
diff --git a/ash-windows/sct/Windows_2022Server_MS/user_registry.yml b/ash-windows/sct/Windows_2022Server_MS/user_registry.yml
new file mode 100644
index 0000000..fe51488
--- /dev/null
+++ b/ash-windows/sct/Windows_2022Server_MS/user_registry.yml
@@ -0,0 +1 @@
+[]
From e3fb8ebf44353be105cbad1199e2976cbbf809b3 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Tue, 9 Jul 2024 15:46:29 -0400
Subject: [PATCH 03/22] Adds DISA STIG for Windows Server 2022 and Windows 11
---
ash-windows/stig/Windows_11/stig.yml | 744 ++++++++++++++++++
ash-windows/stig/Windows_11/stig_audit.csv | 27 +
.../stig/Windows_2022Server_DC/stig.yml | 606 ++++++++++++++
.../stig/Windows_2022Server_DC/stig_audit.csv | 26 +
.../stig/Windows_2022Server_MS/stig.yml | 597 ++++++++++++++
.../stig/Windows_2022Server_MS/stig_audit.csv | 23 +
6 files changed, 2023 insertions(+)
create mode 100644 ash-windows/stig/Windows_11/stig.yml
create mode 100644 ash-windows/stig/Windows_11/stig_audit.csv
create mode 100644 ash-windows/stig/Windows_2022Server_DC/stig.yml
create mode 100644 ash-windows/stig/Windows_2022Server_DC/stig_audit.csv
create mode 100644 ash-windows/stig/Windows_2022Server_MS/stig.yml
create mode 100644 ash-windows/stig/Windows_2022Server_MS/stig_audit.csv
diff --git a/ash-windows/stig/Windows_11/stig.yml b/ash-windows/stig/Windows_11/stig.yml
new file mode 100644
index 0000000..67ec79d
--- /dev/null
+++ b/ash-windows/stig/Windows_11/stig.yml
@@ -0,0 +1,744 @@
+- key: User\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: User\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableThirdPartySuggestions
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: User\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\NoToastApplicationNotificationOnLockScreen
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicy
+ policy_type: regpol
+ value: '4096'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Classes\cmdfile\shell\runasuser\SuppressionPolicy
+ policy_type: regpol
+ value: '4096'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicy
+ policy_type: regpol
+ value: '4096'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Classes\mscfile\shell\runasuser\SuppressionPolicy
+ policy_type: regpol
+ value: '4096'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\wcmsvc\wifinetworkmanager\config\AutoConnectAllowedOEM
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartBanner
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
+ policy_type: regpol
+ value: '255'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordComplexity
+ policy_type: regpol
+ value: '4'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordLength
+ policy_type: regpol
+ value: '14'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordAgeDays
+ policy_type: regpol
+ value: '60'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\DevicePKInitEnabled
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\DevicePKInitBehavior
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\EccCurves
+ policy_type: regpol
+ value: NistP384\0NistP256
+ vtype: MULTISZ
+- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\FVE\EnableBDEWithNoTPM
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseTPM
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseTPMPIN
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseTPMKey
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\FVE\MinimumPIN
+ policy_type: regpol
+ value: '6'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\AllowBasicAuthInClear
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\NotifyDisableIEOptions
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\PassportForWork\RequireSecurityDevice
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\PassportForWork\ExcludeSecurityDevices\TPM12
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity\MinimumPINLength
+ policy_type: regpol
+ value: '6'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\AppCompat\DisableInventory
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy\LetAppsActivateWithVoiceAboveLock
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableWindowsConsumerFeatures
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DataCollection\LimitEnhancedDiagnosticDataWindowsAnalytics
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DODownloadMode
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ConfigureSystemGuardLaunch
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\MaxSize
+ policy_type: regpol
+ value: '1024000'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\GameDVR\AllowGameDVR
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Installer\EnableUserControl
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Installer\SafeForScripting
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL
+ policy_type: regpol
+ value: RequireMutualAuthentication=1, RequireIntegrity=1
+ vtype: SZ
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON
+ policy_type: regpol
+ value: RequireMutualAuthentication=1, RequireIntegrity=1
+ vtype: SZ
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- action: DELETE
+ key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging
+ policy_type: regpol
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\OutputDirectory
+ policy_type: regpol
+ value: C
+ vtype: SZ
+- action: DELETE
+ key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableInvocationHeader
+ policy_type: regpol
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\EnumerateLocalUsers
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\ShellSmartScreenLevel
+ policy_type: regpol
+ value: Block
+ vtype: SZ
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\AllowDomainPINLogon
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fMinimizeConnections
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fBlockNonDomain
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowDigest
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- action: DELETE
+ key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowFullControl
+ policy_type: regpol
+- action: DELETE
+ key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiry
+ policy_type: regpol
+- action: DELETE
+ key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiryUnits
+ policy_type: regpol
+- action: DELETE
+ key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fUseMailto
+ policy_type: regpol
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start
+ policy_type: regpol
+ value: '4'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- name: MinimumPasswordAge
+ policy_type: secedit
+ value: '1'
+- name: MaximumPasswordAge
+ policy_type: secedit
+ value: '60'
+- name: MinimumPasswordLength
+ policy_type: secedit
+ value: '14'
+- name: PasswordComplexity
+ policy_type: secedit
+ value: '1'
+- name: PasswordHistorySize
+ policy_type: secedit
+ value: '24'
+- name: LockoutBadCount
+ policy_type: secedit
+ value: '3'
+- name: ResetLockoutCount
+ policy_type: secedit
+ value: '15'
+- name: LockoutDuration
+ policy_type: secedit
+ value: '15'
+- name: NewAdministratorName
+ policy_type: secedit
+ value: '"X_Admin"'
+- name: NewGuestName
+ policy_type: secedit
+ value: '"Visitor"'
+- name: ClearTextPassword
+ policy_type: secedit
+ value: '0'
+- name: LSAAnonymousNameLookup
+ policy_type: secedit
+ value: '0'
+- name: EnableAdminAccount
+ policy_type: secedit
+ value: '0'
+- name: EnableGuestAccount
+ policy_type: secedit
+ value: '0'
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
+ policy_type: regpol
+ value: '30'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
+ policy_type: regpol
+ value: O:BAG:BAD:(A;;RC;;;BA)
+ vtype: SZ
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
+ policy_type: regpol
+ value: '5'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
+ policy_type: regpol
+ value: You are accessing a U.S. Government (USG) Information System (IS) that is
+ provided for USG-authorized use only.By using this IS (which includes any device
+ attached to this IS)"" you consent to the following conditions:-The USG routinely
+ intercepts and monitors communications on this IS for purposes including"" but
+ not limited to"" penetration testing"" COMSEC monitoring"" network operations
+ and defense"" personnel misconduct (PM)"" law enforcement (LE)"" and counterintelligence
+ (CI) investigations.-At any time"" the USG may inspect and seize data stored on
+ this IS.-Communications using"" or data stored on"" this IS are not private""
+ are subject to routine monitoring"" interception"" and search"" and may be disclosed
+ or used for any USG-authorized purpose.-This IS includes security measures (e.g.""
+ authentication and access controls) to protect USG interests--not for your personal
+ benefit or privacy.-Notwithstanding the above"" using this IS does not constitute
+ consent to PM"" LE or CI investigative searching or monitoring of the content
+ of privileged communications"" or work product"" related to personal representation
+ or services by attorneys"" psychotherapists"" or clergy"" and their assistants.
+ Such communications and work product are private and confidential. See User Agreement
+ for details.
+ vtype: MULTISZ
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
+ policy_type: regpol
+ value: US Department of Defense Warning Statement
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes
+ policy_type: regpol
+ value: '2147483640'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
+ policy_type: regpol
+ value: '900'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
+ policy_type: regpol
+ value: '1'
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
+ policy_type: regpol
+ value: '10'
+ vtype: SZ
+- name: SeTrustedCredManAccessPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-32-555'
+- name: SeTcbPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-32-545'
+- name: SeBackupPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeSystemtimePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-19'
+- name: SeCreatePagefilePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreateTokenPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeCreateGlobalPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-19,*S-1-5-20,*S-1-5-6'
+- name: SeCreatePermanentPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeCreateSymbolicLinkPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeDebugPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeEnableDelegationPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeRemoteShutdownPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLoadDriverPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLockMemoryPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeSecurityPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeSystemEnvironmentPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeManageVolumePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeProfileSingleProcessPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRestorePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeTakeOwnershipPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeDenyNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-113,*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+- name: SeDenyBatchLogonRight
+ policy_type: secedit
+ value: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
+- name: SeDenyServiceLogonRight
+ policy_type: secedit
+ value: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
+- name: SeDenyInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+- name: SeDenyRemoteInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-113,*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+- name: SeImpersonatePrivilege
+ policy_type: secedit
+ value: '*S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544'
diff --git a/ash-windows/stig/Windows_11/stig_audit.csv b/ash-windows/stig/Windows_11/stig_audit.csv
new file mode 100644
index 0000000..918fe42
--- /dev/null
+++ b/ash-windows/stig/Windows_11/stig_audit.csv
@@ -0,0 +1,27 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Authorization Policy Change,{0cce9231-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
diff --git a/ash-windows/stig/Windows_2022Server_DC/stig.yml b/ash-windows/stig/Windows_2022Server_DC/stig.yml
new file mode 100644
index 0000000..9ec9f87
--- /dev/null
+++ b/ash-windows/stig/Windows_2022Server_DC/stig.yml
@@ -0,0 +1,606 @@
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
+ policy_type: regpol
+ value: '255'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\AllowBasicAuthInClear
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\AppCompat\DisableInventory
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DataCollection\AllowTelemetry
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeliveryOptimization\DODownloadMode
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\ConfigureSystemGuardLaunch
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize
+ policy_type: regpol
+ value: '196608'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\SafeForScripting
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL
+ policy_type: regpol
+ value: RequireMutualAuthentication=1, RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON
+ policy_type: regpol
+ value: RequireMutualAuthentication=1, RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging
+ policy_type: regpol
+- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\OutputDirectory
+ policy_type: regpol
+ value: C
+ vtype: SZ
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableInvocationHeader
+ policy_type: regpol
+- key: Computer\Software\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel
+ policy_type: regpol
+ value: Block
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start
+ policy_type: regpol
+ value: '4'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- name: MinimumPasswordAge
+ policy_type: secedit
+ value: '1'
+- name: MaximumPasswordAge
+ policy_type: secedit
+ value: '60'
+- name: MinimumPasswordLength
+ policy_type: secedit
+ value: '14'
+- name: PasswordComplexity
+ policy_type: secedit
+ value: '1'
+- name: PasswordHistorySize
+ policy_type: secedit
+ value: '24'
+- name: LockoutBadCount
+ policy_type: secedit
+ value: '3'
+- name: ResetLockoutCount
+ policy_type: secedit
+ value: '15'
+- name: LockoutDuration
+ policy_type: secedit
+ value: '15'
+- name: NewAdministratorName
+ policy_type: secedit
+ value: '"X_Admin"'
+- name: NewGuestName
+ policy_type: secedit
+ value: '"Visitor"'
+- name: ClearTextPassword
+ policy_type: secedit
+ value: '0'
+- name: LSAAnonymousNameLookup
+ policy_type: secedit
+ value: '0'
+- name: EnableGuestAccount
+ policy_type: secedit
+ value: '0'
+- name: MaxTicketAge
+ policy_type: secedit
+ value: '-1'
+- name: MaxRenewAge
+ policy_type: secedit
+ value: '8'
+- name: MaxServiceAge
+ policy_type: secedit
+ value: '-1'
+- name: TicketValidateClient
+ policy_type: secedit
+ value: '1'
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
+ policy_type: regpol
+ value: '4'
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
+ policy_type: regpol
+ value: '1'
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
+ policy_type: regpol
+ value: '900'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes
+ policy_type: regpol
+ value: '2147483640'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
+ policy_type: regpol
+ value: US Department of Defense Warning Statement
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
+ policy_type: regpol
+ value: You are accessing a U.S. Government (USG) Information System (IS) that is
+ provided for USG-authorized use only.By using this IS (which includes any device
+ attached to this IS)"" you consent to the following conditions:-The USG routinely
+ intercepts and monitors communications on this IS for purposes including"" but
+ not limited to"" penetration testing"" COMSEC monitoring"" network operations
+ and defense"" personnel misconduct (PM)"" law enforcement (LE)"" and counterintelligence
+ (CI) investigations.-At any time"" the USG may inspect and seize data stored on
+ this IS.-Communications using"" or data stored on"" this IS are not private""
+ are subject to routine monitoring"" interception"" and search"" and may be disclosed
+ or used for any USG-authorized purpose.-This IS includes security measures (e.g.""
+ authentication and access controls) to protect USG interests--not for your personal
+ benefit or privacy.-Notwithstanding the above"" using this IS does not constitute
+ consent to PM"" LE or CI investigative searching or monitoring of the content
+ of privileged communications"" or work product"" related to personal representation
+ or services by attorneys"" psychotherapists"" or clergy"" and their assistants.
+ Such communications and work product are private and confidential. See User Agreement
+ for details.
+ vtype: MULTISZ
+- key: MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
+ policy_type: regpol
+ value: '5'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
+ policy_type: regpol
+ value: O:BAG:BAD:(A;;RC;;;BA)
+ vtype: SZ
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
+ policy_type: regpol
+ value: '30'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- name: SeDenyNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-546'
+- name: SeDenyBatchLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-546'
+- name: SeDenyInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-546'
+- name: SeDenyRemoteInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-546'
+- name: SeInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeBackupPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreatePagefilePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreateTokenPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeCreateGlobalPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-19,*S-1-5-20,*S-1-5-6'
+- name: SeCreatePermanentPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeCreateSymbolicLinkPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeDebugPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRemoteShutdownPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeAuditPrivilege
+ policy_type: secedit
+ value: '*S-1-5-20,*S-1-5-19'
+- name: SeImpersonatePrivilege
+ policy_type: secedit
+ value: '*S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544'
+- name: SeIncreaseBasePriorityPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLoadDriverPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLockMemoryPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeSecurityPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeSystemEnvironmentPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeManageVolumePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeProfileSingleProcessPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRestorePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeTakeOwnershipPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-11,*S-1-5-9'
+- name: SeDenyServiceLogonRight
+ policy_type: secedit
+ value: ''
+- name: SeEnableDelegationPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeTcbPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeTrustedCredManAccessPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeMachineAccountPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRemoteInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544'
diff --git a/ash-windows/stig/Windows_2022Server_DC/stig_audit.csv b/ash-windows/stig/Windows_2022Server_DC/stig_audit.csv
new file mode 100644
index 0000000..6a7e7ac
--- /dev/null
+++ b/ash-windows/stig/Windows_2022Server_DC/stig_audit.csv
@@ -0,0 +1,26 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Directory Service Access,{0cce923b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Directory Service Changes,{0cce923c-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Authorization Policy Change,{0cce9231-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
diff --git a/ash-windows/stig/Windows_2022Server_MS/stig.yml b/ash-windows/stig/Windows_2022Server_MS/stig.yml
new file mode 100644
index 0000000..596e0ec
--- /dev/null
+++ b/ash-windows/stig/Windows_2022Server_MS/stig.yml
@@ -0,0 +1,597 @@
+[]
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
+ policy_type: regpol
+ value: '255'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordComplexity
+ policy_type: regpol
+ value: '4'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordLength
+ policy_type: regpol
+ value: '14'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordAgeDays
+ policy_type: regpol
+ value: '60'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\AllowBasicAuthInClear
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\AppCompat\DisableInventory
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DataCollection\AllowTelemetry
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeliveryOptimization\DODownloadMode
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\ConfigureSystemGuardLaunch
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize
+ policy_type: regpol
+ value: '196608'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize
+ policy_type: regpol
+ value: '32768'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Installer\SafeForScripting
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL
+ policy_type: regpol
+ value: RequireMutualAuthentication=1, RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON
+ policy_type: regpol
+ value: RequireMutualAuthentication=1, RequireIntegrity=1
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging
+ policy_type: regpol
+- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\OutputDirectory
+ policy_type: regpol
+ value: C
+ vtype: SZ
+- action: DELETE
+ key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableInvocationHeader
+ policy_type: regpol
+- key: Computer\Software\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel
+ policy_type: regpol
+ value: Block
+ vtype: SZ
+- key: Computer\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy
+ policy_type: regpol
+ value: '3'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start
+ policy_type: regpol
+ value: '4'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- name: MinimumPasswordAge
+ policy_type: secedit
+ value: '1'
+- name: MaximumPasswordAge
+ policy_type: secedit
+ value: '60'
+- name: MinimumPasswordLength
+ policy_type: secedit
+ value: '14'
+- name: PasswordComplexity
+ policy_type: secedit
+ value: '1'
+- name: PasswordHistorySize
+ policy_type: secedit
+ value: '24'
+- name: LockoutBadCount
+ policy_type: secedit
+ value: '3'
+- name: ResetLockoutCount
+ policy_type: secedit
+ value: '15'
+- name: LockoutDuration
+ policy_type: secedit
+ value: '15'
+- name: NewAdministratorName
+ policy_type: secedit
+ value: '"X_Admin"'
+- name: NewGuestName
+ policy_type: secedit
+ value: '"Visitor"'
+- name: ClearTextPassword
+ policy_type: secedit
+ value: '0'
+- name: LSAAnonymousNameLookup
+ policy_type: secedit
+ value: '0'
+- name: EnableGuestAccount
+ policy_type: secedit
+ value: '0'
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
+ policy_type: regpol
+ value: '4'
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
+ policy_type: regpol
+ value: '1'
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
+ policy_type: regpol
+ value: '900'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes
+ policy_type: regpol
+ value: '2147483640'
+ vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
+ policy_type: regpol
+ value: US Department of Defense Warning Statement
+ vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
+ policy_type: regpol
+ value: You are accessing a U.S. Government (USG) Information System (IS) that is
+ provided for USG-authorized use only.By using this IS (which includes any device
+ attached to this IS)"" you consent to the following conditions:-The USG routinely
+ intercepts and monitors communications on this IS for purposes including"" but
+ not limited to"" penetration testing"" COMSEC monitoring"" network operations
+ and defense"" personnel misconduct (PM)"" law enforcement (LE)"" and counterintelligence
+ (CI) investigations.-At any time"" the USG may inspect and seize data stored on
+ this IS.-Communications using"" or data stored on"" this IS are not private""
+ are subject to routine monitoring"" interception"" and search"" and may be disclosed
+ or used for any USG-authorized purpose.-This IS includes security measures (e.g.""
+ authentication and access controls) to protect USG interests--not for your personal
+ benefit or privacy.-Notwithstanding the above"" using this IS does not constitute
+ consent to PM"" LE or CI investigative searching or monitoring of the content
+ of privileged communications"" or work product"" related to personal representation
+ or services by attorneys"" psychotherapists"" or clergy"" and their assistants.
+ Such communications and work product are private and confidential. See User Agreement
+ for details.
+ vtype: MULTISZ
+- key: MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
+ policy_type: regpol
+ value: '2'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
+ policy_type: regpol
+ value: '5'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
+ policy_type: regpol
+ value: '537395200'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
+ policy_type: regpol
+ value: O:BAG:BAD:(A;;RC;;;BA)
+ vtype: SZ
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
+ policy_type: regpol
+ value: '0'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
+ policy_type: regpol
+ value: '30'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
+ policy_type: regpol
+ value: '1'
+ vtype: DWORD
+- name: SeDenyNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-114,*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+- name: SeDenyBatchLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+- name: SeDenyInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+- name: SeDenyRemoteInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-113,*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+- name: SeInteractiveLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeBackupPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreatePagefilePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeCreateTokenPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeCreateGlobalPrivilege
+ policy_type: secedit
+ value: '*S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544'
+- name: SeCreatePermanentPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeCreateSymbolicLinkPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeDebugPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRemoteShutdownPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeAuditPrivilege
+ policy_type: secedit
+ value: '*S-1-5-19,*S-1-5-20'
+- name: SeImpersonatePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-19,*S-1-5-20,*S-1-5-6'
+- name: SeIncreaseBasePriorityPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLoadDriverPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeLockMemoryPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeSecurityPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeSystemEnvironmentPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeManageVolumePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeProfileSingleProcessPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeRestorePrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeTakeOwnershipPrivilege
+ policy_type: secedit
+ value: '*S-1-5-32-544'
+- name: SeNetworkLogonRight
+ policy_type: secedit
+ value: '*S-1-5-32-544,*S-1-5-11'
+- name: SeDenyServiceLogonRight
+ policy_type: secedit
+ value: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
+- name: SeEnableDelegationPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeTcbPrivilege
+ policy_type: secedit
+ value: ''
+- name: SeTrustedCredManAccessPrivilege
+ policy_type: secedit
+ value: ''
diff --git a/ash-windows/stig/Windows_2022Server_MS/stig_audit.csv b/ash-windows/stig/Windows_2022Server_MS/stig_audit.csv
new file mode 100644
index 0000000..a761ea9
--- /dev/null
+++ b/ash-windows/stig/Windows_2022Server_MS/stig_audit.csv
@@ -0,0 +1,23 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Authorization Policy Change,{0cce9231-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
From 826dc6f11e475450316cad40449ad65b1f88276c Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Wed, 10 Jul 2024 09:41:34 -0400
Subject: [PATCH 04/22] Add Windows 2022 and Windows 11 to role map
---
ash-windows/map.jinja | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ash-windows/map.jinja b/ash-windows/map.jinja
index a82f953..13c023f 100644
--- a/ash-windows/map.jinja
+++ b/ash-windows/map.jinja
@@ -22,9 +22,11 @@
# Define default role for supported Operating System versions
{% set default_role = salt.grains.filter_by(
{
+ '2022Server' : 'MemberServer',
'2019Server' : 'MemberServer',
'2016Server' : 'MemberServer',
'2012ServerR2' : 'MemberServer',
+ '11' : 'Workstation',
'10' : 'Workstation',
},
grain='osrelease'
From 1935cb877c572da944ee71f24cd845f945f917dc Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Tue, 30 Jul 2024 11:07:56 -0400
Subject: [PATCH 05/22] Adds more details to the STIG update instructions
---
ash-windows/Convert_STIG_Policies.md | 90 +++++++++++++++++++++-------
1 file changed, 68 insertions(+), 22 deletions(-)
diff --git a/ash-windows/Convert_STIG_Policies.md b/ash-windows/Convert_STIG_Policies.md
index 2bf2a8e..bd9eb80 100644
--- a/ash-windows/Convert_STIG_Policies.md
+++ b/ash-windows/Convert_STIG_Policies.md
@@ -1,31 +1,70 @@
+- Download the latest available DISA-provided GPO baseline zip file: https://public.cyber.mil/stigs/gpo/
+
+- Unzip the GPO baseline file on your computer
+
+- Open the unzipped folder and browse to the desired baseline to update
+
+- To identify the STIG GPO baseline associated with each GUID, you have to navigate into the GUID directories and open gpreport.xml. The tag near the top in the xml will identify the STIG baseline provided
+
+- Depending on the baseline, the `Machine` and `User` policies maybe under the same GUID or separate GUIDs. In either case, the following steps still applies
+
+ - Open `{GUID}\DomainSysvol\GPO\Machine` and copy `registry.pol` to the `stig/` folder, renaming it to `machine_registry.pol`. Skip this step if `registry.pol` is missing or contains no policies (e.g. File size is very small)
+
+ - Check for `audit.csv` and `GptTmpl.inf` files under `{GUID}\DomainSysvol\GPO\Machine\microsoft\windows nt\` and copy them to `stig/`
+
+ - Open `{GUID}\DomainSysvol\GPO\User` and copy `registry.pol` to the `stig/` folder, renaming it to `user_registry.pol`. Again, skip if
+ `registry.pol` is missing or contains no policies (e.g. File size is very small)
+
+ - Run the PowerShell code below from the root of the ash-windows-formula repo
+
```powershell
$baselines = @(
- 'IE_10',
- 'IE_11',
- 'IE_8',
- 'IE_9',
- 'Windows_2008ServerR2_DC',
- 'Windows_2008ServerR2_MS',
- 'Windows_2012ServerR2_DC',
- 'Windows_2012ServerR2_MS',
- 'Windows_8.1',
+ 'IE_11'
'Windows_10'
+ 'Windows_11'
+ 'Windows_2012ServerR2_DC'
+ 'Windows_2012ServerR2_MS'
+ 'Windows_2016Server_DC'
+ 'Windows_2016Server_MS'
+ 'Windows_2019Server_DC'
+ 'Windows_2019Server_MS'
+ 'Windows_2022Server_DC'
+ 'Windows_2022Server_MS'
)
foreach ($baseline in $baselines)
{
- $dir = Resolve-Path ".\ash-windows\stig\$baseline"
- $StigInf = "${dir}\stig.inf"
- $StigTxt = "${dir}\stig.txt"
+ $dir = ".\ash-windows\stig\$baseline"
+ $gpttmpl_inf = "$dir\GptTmpl.inf"
+ $user_pol = "$dir\user_registry.pol"
+ $machine_pol = "$dir\machine_registry.pol"
+
+ $TxtFile = "$gpttmpl_inf"
+ $YmlFile = "$(Resolve-Path $dir)\gpttmpl.yml"
+ if (Test-Path "$TxtFile")
+ {
+ Write-Host "Processing $TxtFile"
+ python .\ash-windows\tools\convert-lgpo-policy.py `
+ src_file="$TxtFile" `
+ dst_file="$YmlFile"
+ }
+ else
+ {
+ # We need to ensure an empty YmlFile exists
+ $null = New-Item -Path $YmlFile -ItemType File -Force
+ }
- $PolFile = $StigInf
- $YmlFile = "${dir}\stig.inf.yml"
- if (Test-Path "$PolFile")
+ $TxtFile = "${dir}\user_registry.txt"
+ $YmlFile = "${dir}\user_registry.yml"
+ rm $TxtFile -ErrorAction SilentlyContinue
+ if (Test-Path "$user_pol")
{
- Write-Host "Processing $PolFile"
+ .\ash-windows\tools\LGPO.exe /parse /u "$user_pol" | Out-File "$TxtFile" -Encoding "ascii"
+ Write-Host "Processing $TxtFile"
python .\ash-windows\tools\convert-lgpo-policy.py `
- src_file="$PolFile" `
+ src_file="$TxtFile" `
dst_file="$YmlFile"
+ rm $TxtFile -ErrorAction SilentlyContinue
}
else
{
@@ -33,19 +72,26 @@ foreach ($baseline in $baselines)
$null = New-Item -Path $YmlFile -ItemType File -Force
}
- $PolFile = $StigTxt
- $YmlFile = "${dir}\stig.txt.yml"
- if (Test-Path "$PolFile")
+ $TxtFile = "${dir}\machine_registry.txt"
+ $YmlFile = "${dir}\machine_registry.yml"
+ #rm $TxtFile -ErrorAction SilentlyContinue
+ if (Test-Path "$machine_pol")
{
- Write-Host "Processing $PolFile"
+ .\ash-windows\tools\LGPO.exe /parse /m "$machine_pol" | Out-File "$TxtFile" -Encoding "ascii"
+ Write-Host "Processing $TxtFile"
python .\ash-windows\tools\convert-lgpo-policy.py `
- src_file="$PolFile" `
+ src_file="$TxtFile" `
dst_file="$YmlFile"
+ rm $TxtFile -ErrorAction SilentlyContinue
}
else
{
# We need to ensure an empty YmlFile exists
$null = New-Item -Path $YmlFile -ItemType File -Force
}
+ # Combine yml files into single stig.yml file
+ Get-Content -Path ${dir}\user_registry.yml,${dir}\machine_registry.yml,$dir\gpttmpl.yml | Set-Content -Path $dir\stig.yml
}
```
+
+- After a new `stig.yml` file is generated for the STIG baseline being updated, open the file and inspect the policies. The DISA policies may have placeholder values that need to be updated or remove as needed for your environment.
From 4d1413c366dcb689b56402726078c75e28ea332f Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 2 Aug 2024 14:19:21 -0400
Subject: [PATCH 06/22] Clean up miscellaneous text and placeholder values
---
ash-windows/stig/Windows_11/stig.yml | 38 ++++++++-----------
.../stig/Windows_2022Server_DC/stig.yml | 24 ++++++------
.../stig/Windows_2022Server_MS/stig.yml | 36 ++++++++----------
3 files changed, 44 insertions(+), 54 deletions(-)
diff --git a/ash-windows/stig/Windows_11/stig.yml b/ash-windows/stig/Windows_11/stig.yml
index 67ec79d..2d4c891 100644
--- a/ash-windows/stig/Windows_11/stig.yml
+++ b/ash-windows/stig/Windows_11/stig.yml
@@ -96,7 +96,7 @@
vtype: DWORD
- key: Computer\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\EccCurves
policy_type: regpol
- value: NistP384\0NistP256
+ value: NistP384 NistP256
vtype: MULTISZ
- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup
policy_type: regpol
@@ -594,19 +594,19 @@
policy_type: regpol
value: You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only.By using this IS (which includes any device
- attached to this IS)"" you consent to the following conditions:-The USG routinely
- intercepts and monitors communications on this IS for purposes including"" but
- not limited to"" penetration testing"" COMSEC monitoring"" network operations
- and defense"" personnel misconduct (PM)"" law enforcement (LE)"" and counterintelligence
- (CI) investigations.-At any time"" the USG may inspect and seize data stored on
- this IS.-Communications using"" or data stored on"" this IS are not private""
- are subject to routine monitoring"" interception"" and search"" and may be disclosed
- or used for any USG-authorized purpose.-This IS includes security measures (e.g.""
+ attached to this IS) you consent to the following conditions:-The USG routinely
+ intercepts and monitors communications on this IS for purposes including but
+ not limited to penetration testing COMSEC monitoring network operations
+ and defense personnel misconduct (PM) law enforcement (LE) and counterintelligence
+ (CI) investigations.-At any time the USG may inspect and seize data stored on
+ this IS.-Communications using or data stored on this IS are not private
+ are subject to routine monitoring interception and search and may be disclosed
+ or used for any USG-authorized purpose.-This IS includes security measures (e.g.
authentication and access controls) to protect USG interests--not for your personal
- benefit or privacy.-Notwithstanding the above"" using this IS does not constitute
- consent to PM"" LE or CI investigative searching or monitoring of the content
- of privileged communications"" or work product"" related to personal representation
- or services by attorneys"" psychotherapists"" or clergy"" and their assistants.
+ benefit or privacy.-Notwithstanding the above using this IS does not constitute
+ consent to PM LE or CI investigative searching or monitoring of the content
+ of privileged communications or work product related to personal representation
+ or services by attorneys psychotherapists or clergy and their assistants.
Such communications and work product are private and confidential. See User Agreement
for details.
vtype: MULTISZ
@@ -726,19 +726,13 @@
value: '*S-1-5-32-544'
- name: SeDenyNetworkLogonRight
policy_type: secedit
- value: '*S-1-5-113,*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
-- name: SeDenyBatchLogonRight
- policy_type: secedit
- value: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
-- name: SeDenyServiceLogonRight
- policy_type: secedit
- value: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
+ value: '*S-1-5-113,*S-1-5-32-546'
- name: SeDenyInteractiveLogonRight
policy_type: secedit
- value: '*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+ value: '*S-1-5-32-546'
- name: SeDenyRemoteInteractiveLogonRight
policy_type: secedit
- value: '*S-1-5-113,*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+ value: '*S-1-5-113,*S-1-5-32-546'
- name: SeImpersonatePrivilege
policy_type: secedit
value: '*S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544'
diff --git a/ash-windows/stig/Windows_2022Server_DC/stig.yml b/ash-windows/stig/Windows_2022Server_DC/stig.yml
index 9ec9f87..6a34fcf 100644
--- a/ash-windows/stig/Windows_2022Server_DC/stig.yml
+++ b/ash-windows/stig/Windows_2022Server_DC/stig.yml
@@ -371,19 +371,19 @@
policy_type: regpol
value: You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only.By using this IS (which includes any device
- attached to this IS)"" you consent to the following conditions:-The USG routinely
- intercepts and monitors communications on this IS for purposes including"" but
- not limited to"" penetration testing"" COMSEC monitoring"" network operations
- and defense"" personnel misconduct (PM)"" law enforcement (LE)"" and counterintelligence
- (CI) investigations.-At any time"" the USG may inspect and seize data stored on
- this IS.-Communications using"" or data stored on"" this IS are not private""
- are subject to routine monitoring"" interception"" and search"" and may be disclosed
- or used for any USG-authorized purpose.-This IS includes security measures (e.g.""
+ attached to this IS) you consent to the following conditions:-The USG routinely
+ intercepts and monitors communications on this IS for purposes including but
+ not limited to penetration testing COMSEC monitoring network operations
+ and defense personnel misconduct (PM) law enforcement (LE) and counterintelligence
+ (CI) investigations.-At any time the USG may inspect and seize data stored on
+ this IS.-Communications using or data stored on this IS are not private
+ are subject to routine monitoring interception and search and may be disclosed
+ or used for any USG-authorized purpose.-This IS includes security measures (e.g.
authentication and access controls) to protect USG interests--not for your personal
- benefit or privacy.-Notwithstanding the above"" using this IS does not constitute
- consent to PM"" LE or CI investigative searching or monitoring of the content
- of privileged communications"" or work product"" related to personal representation
- or services by attorneys"" psychotherapists"" or clergy"" and their assistants.
+ benefit or privacy.-Notwithstanding the above using this IS does not constitute
+ consent to PM LE or CI investigative searching or monitoring of the content
+ of privileged communications or work product related to personal representation
+ or services by attorneys psychotherapists or clergy and their assistants.
Such communications and work product are private and confidential. See User Agreement
for details.
vtype: MULTISZ
diff --git a/ash-windows/stig/Windows_2022Server_MS/stig.yml b/ash-windows/stig/Windows_2022Server_MS/stig.yml
index 596e0ec..15eba8e 100644
--- a/ash-windows/stig/Windows_2022Server_MS/stig.yml
+++ b/ash-windows/stig/Windows_2022Server_MS/stig.yml
@@ -1,4 +1,3 @@
-[]
- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
policy_type: regpol
value: '0'
@@ -376,19 +375,19 @@
policy_type: regpol
value: You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only.By using this IS (which includes any device
- attached to this IS)"" you consent to the following conditions:-The USG routinely
- intercepts and monitors communications on this IS for purposes including"" but
- not limited to"" penetration testing"" COMSEC monitoring"" network operations
- and defense"" personnel misconduct (PM)"" law enforcement (LE)"" and counterintelligence
- (CI) investigations.-At any time"" the USG may inspect and seize data stored on
- this IS.-Communications using"" or data stored on"" this IS are not private""
- are subject to routine monitoring"" interception"" and search"" and may be disclosed
- or used for any USG-authorized purpose.-This IS includes security measures (e.g.""
+ attached to this IS) you consent to the following conditions:-The USG routinely
+ intercepts and monitors communications on this IS for purposes including but
+ not limited to penetration testing COMSEC monitoring network operations
+ and defense personnel misconduct (PM) law enforcement (LE) and counterintelligence
+ (CI) investigations.-At any time the USG may inspect and seize data stored on
+ this IS.-Communications using or data stored on this IS are not private
+ are subject to routine monitoring interception and search and may be disclosed
+ or used for any USG-authorized purpose.-This IS includes security measures (e.g.
authentication and access controls) to protect USG interests--not for your personal
- benefit or privacy.-Notwithstanding the above"" using this IS does not constitute
- consent to PM"" LE or CI investigative searching or monitoring of the content
- of privileged communications"" or work product"" related to personal representation
- or services by attorneys"" psychotherapists"" or clergy"" and their assistants.
+ benefit or privacy.-Notwithstanding the above using this IS does not constitute
+ consent to PM LE or CI investigative searching or monitoring of the content
+ of privileged communications or work product related to personal representation
+ or services by attorneys psychotherapists or clergy and their assistants.
Such communications and work product are private and confidential. See User Agreement
for details.
vtype: MULTISZ
@@ -510,16 +509,16 @@
vtype: DWORD
- name: SeDenyNetworkLogonRight
policy_type: secedit
- value: '*S-1-5-114,*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+ value: '*S-1-5-114,*S-1-5-32-546'
- name: SeDenyBatchLogonRight
policy_type: secedit
- value: '*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+ value: '*S-1-5-32-546'
- name: SeDenyInteractiveLogonRight
policy_type: secedit
- value: '*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+ value: '*S-1-5-32-546'
- name: SeDenyRemoteInteractiveLogonRight
policy_type: secedit
- value: '*S-1-5-113,*S-1-5-32-546,ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS'
+ value: '*S-1-5-113,*S-1-5-32-546'
- name: SeInteractiveLogonRight
policy_type: secedit
value: '*S-1-5-32-544'
@@ -583,9 +582,6 @@
- name: SeNetworkLogonRight
policy_type: secedit
value: '*S-1-5-32-544,*S-1-5-11'
-- name: SeDenyServiceLogonRight
- policy_type: secedit
- value: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
- name: SeEnableDelegationPrivilege
policy_type: secedit
value: ''
From 205ff3b66d2a25fa2bc65c5c1ae803977dad61a9 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 2 Aug 2024 14:24:19 -0400
Subject: [PATCH 07/22] Fix linting errors
---
ash-windows/Convert_STIG_Policies.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ash-windows/Convert_STIG_Policies.md b/ash-windows/Convert_STIG_Policies.md
index bd9eb80..974c692 100644
--- a/ash-windows/Convert_STIG_Policies.md
+++ b/ash-windows/Convert_STIG_Policies.md
@@ -12,8 +12,7 @@
- Check for `audit.csv` and `GptTmpl.inf` files under `{GUID}\DomainSysvol\GPO\Machine\microsoft\windows nt\` and copy them to `stig/`
- - Open `{GUID}\DomainSysvol\GPO\User` and copy `registry.pol` to the `stig/` folder, renaming it to `user_registry.pol`. Again, skip if
- `registry.pol` is missing or contains no policies (e.g. File size is very small)
+ - Open `{GUID}\DomainSysvol\GPO\User` and copy `registry.pol` to the `stig/` folder, renaming it to `user_registry.pol`. Again, skip if `registry.pol` is missing or contains no policies (e.g. File size is very small)
- Run the PowerShell code below from the root of the ash-windows-formula repo
From 91c729dcd3bcd5ec6639471684d42ea2835aaf30 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Tue, 9 Jul 2024 15:48:07 -0400
Subject: [PATCH 08/22] Adds MULTISZ registry type as an option in conversion
script
---
ash-windows/tools/convert-lgpo-policy.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ash-windows/tools/convert-lgpo-policy.py b/ash-windows/tools/convert-lgpo-policy.py
index 4d01c4a..36f9c05 100644
--- a/ash-windows/tools/convert-lgpo-policy.py
+++ b/ash-windows/tools/convert-lgpo-policy.py
@@ -9,7 +9,7 @@
REG_CODE_MAP = {"1": "SZ", "2": "EXSZ", "3": "BINARY", "4": "DWORD", "7": "MULTISZ"}
REG_MODES = ("DELETE", "DELETEALLVALUES", "CREATEKEY")
REG_HIVES = ("USER", "COMPUTER")
-REG_TYPES = ("DWORD", "SZ", "EXSZ")
+REG_TYPES = ("DWORD", "SZ", "EXSZ", "MULTISZ")
def _convert_regpol(src):
From 98904338ec79778e3fdbe26e163b3a3bd85d34af Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 2 Aug 2024 15:26:34 -0400
Subject: [PATCH 09/22] Remove double qoutes during conversion
---
ash-windows/tools/convert-lgpo-policy.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ash-windows/tools/convert-lgpo-policy.py b/ash-windows/tools/convert-lgpo-policy.py
index 36f9c05..bee6a71 100644
--- a/ash-windows/tools/convert-lgpo-policy.py
+++ b/ash-windows/tools/convert-lgpo-policy.py
@@ -73,7 +73,7 @@ def _convert_secedit(src):
policy["key"] = line.split("=")[0].strip()
policy["vtype"] = REG_CODE_MAP[line.split("=")[1].split(",")[0].strip()]
policy["value"] = (
- "".join(line.split("=")[1].split(",")[1:]).strip().strip('"')
+ "".join(line.split("=")[1].split(",")[1:]).strip().strip('"').replace('""','')
)
if not policy["vtype"].upper() in REG_TYPES:
print(
From f3ebed8d88b745858d23b7522a31d8b6485a8111 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 2 Aug 2024 15:40:05 -0400
Subject: [PATCH 10/22] Adds support for REG_MULTI_SZ vtype in custom module
---
_modules/win_lgpo_ash.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/_modules/win_lgpo_ash.py b/_modules/win_lgpo_ash.py
index 38c9d5d..81e76dc 100644
--- a/_modules/win_lgpo_ash.py
+++ b/_modules/win_lgpo_ash.py
@@ -98,6 +98,8 @@ def __init__(self):
"REG_DWORD": "REG_DWORD",
"SZ": "REG_SZ",
"REG_SZ": "REG_SZ",
+ "MULTISZ": "REG_MULTI_SZ",
+ "REG_MULTI_SZ": "REG_MULTI_SZ",
},
"hives": {
"COMPUTER": "Machine",
@@ -512,6 +514,8 @@ def _buildKnownDataSearchString(
this_element_value = struct.pack(b"Q", int(reg_data))
elif reg_vtype == "REG_SZ":
this_element_value = _encode_string(reg_data)
+ elif reg_vtype == "REG_MULTI_SZ":
+ this_element_value = _encode_string(reg_data)
return b"".join(
[
"[".encode("utf-16-le"),
From 8adf3c91da90da50266a0a3acebcf1f8b5bc29a0 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Mon, 5 Aug 2024 16:56:08 -0400
Subject: [PATCH 11/22] Fixes from python linting
---
ash-windows/tools/convert-lgpo-policy.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ash-windows/tools/convert-lgpo-policy.py b/ash-windows/tools/convert-lgpo-policy.py
index bee6a71..ef16ac4 100644
--- a/ash-windows/tools/convert-lgpo-policy.py
+++ b/ash-windows/tools/convert-lgpo-policy.py
@@ -73,7 +73,10 @@ def _convert_secedit(src):
policy["key"] = line.split("=")[0].strip()
policy["vtype"] = REG_CODE_MAP[line.split("=")[1].split(",")[0].strip()]
policy["value"] = (
- "".join(line.split("=")[1].split(",")[1:]).strip().strip('"').replace('""','')
+ "".join(line.split("=")[1].split(",")[1:])
+ .strip()
+ .strip('"')
+ .replace('""', "")
)
if not policy["vtype"].upper() in REG_TYPES:
print(
From 9ffaa9b71cd29f501e520e2f05fd1b54b160ce21 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Tue, 6 Aug 2024 16:45:24 -0400
Subject: [PATCH 12/22] Remove unnecessary settings
---
.../stig/Windows_2022Server_DC/stig.yml | 24 ----------------
.../stig/Windows_2022Server_MS/stig.yml | 28 ++-----------------
2 files changed, 2 insertions(+), 50 deletions(-)
diff --git a/ash-windows/stig/Windows_2022Server_DC/stig.yml b/ash-windows/stig/Windows_2022Server_DC/stig.yml
index 6a34fcf..48afdc4 100644
--- a/ash-windows/stig/Windows_2022Server_DC/stig.yml
+++ b/ash-windows/stig/Windows_2022Server_DC/stig.yml
@@ -288,12 +288,6 @@
- name: LockoutDuration
policy_type: secedit
value: '15'
-- name: NewAdministratorName
- policy_type: secedit
- value: '"X_Admin"'
-- name: NewGuestName
- policy_type: secedit
- value: '"Visitor"'
- name: ClearTextPassword
policy_type: secedit
value: '0'
@@ -532,15 +526,9 @@
- name: SeCreatePagefilePrivilege
policy_type: secedit
value: '*S-1-5-32-544'
-- name: SeCreateTokenPrivilege
- policy_type: secedit
- value: ''
- name: SeCreateGlobalPrivilege
policy_type: secedit
value: '*S-1-5-32-544,*S-1-5-19,*S-1-5-20,*S-1-5-6'
-- name: SeCreatePermanentPrivilege
- policy_type: secedit
- value: ''
- name: SeCreateSymbolicLinkPrivilege
policy_type: secedit
value: '*S-1-5-32-544'
@@ -562,9 +550,6 @@
- name: SeLoadDriverPrivilege
policy_type: secedit
value: '*S-1-5-32-544'
-- name: SeLockMemoryPrivilege
- policy_type: secedit
- value: ''
- name: SeSecurityPrivilege
policy_type: secedit
value: '*S-1-5-32-544'
@@ -586,18 +571,9 @@
- name: SeNetworkLogonRight
policy_type: secedit
value: '*S-1-5-32-544,*S-1-5-11,*S-1-5-9'
-- name: SeDenyServiceLogonRight
- policy_type: secedit
- value: ''
- name: SeEnableDelegationPrivilege
policy_type: secedit
value: '*S-1-5-32-544'
-- name: SeTcbPrivilege
- policy_type: secedit
- value: ''
-- name: SeTrustedCredManAccessPrivilege
- policy_type: secedit
- value: ''
- name: SeMachineAccountPrivilege
policy_type: secedit
value: '*S-1-5-32-544'
diff --git a/ash-windows/stig/Windows_2022Server_MS/stig.yml b/ash-windows/stig/Windows_2022Server_MS/stig.yml
index 15eba8e..7927e5a 100644
--- a/ash-windows/stig/Windows_2022Server_MS/stig.yml
+++ b/ash-windows/stig/Windows_2022Server_MS/stig.yml
@@ -304,12 +304,6 @@
- name: LockoutDuration
policy_type: secedit
value: '15'
-- name: NewAdministratorName
- policy_type: secedit
- value: '"X_Admin"'
-- name: NewGuestName
- policy_type: secedit
- value: '"Visitor"'
- name: ClearTextPassword
policy_type: secedit
value: '0'
@@ -509,7 +503,7 @@
vtype: DWORD
- name: SeDenyNetworkLogonRight
policy_type: secedit
- value: '*S-1-5-114,*S-1-5-32-546'
+ value: '*S-1-5-32-546'
- name: SeDenyBatchLogonRight
policy_type: secedit
value: '*S-1-5-32-546'
@@ -518,7 +512,7 @@
value: '*S-1-5-32-546'
- name: SeDenyRemoteInteractiveLogonRight
policy_type: secedit
- value: '*S-1-5-113,*S-1-5-32-546'
+ value: '*S-1-5-32-546'
- name: SeInteractiveLogonRight
policy_type: secedit
value: '*S-1-5-32-544'
@@ -528,15 +522,9 @@
- name: SeCreatePagefilePrivilege
policy_type: secedit
value: '*S-1-5-32-544'
-- name: SeCreateTokenPrivilege
- policy_type: secedit
- value: ''
- name: SeCreateGlobalPrivilege
policy_type: secedit
value: '*S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544'
-- name: SeCreatePermanentPrivilege
- policy_type: secedit
- value: ''
- name: SeCreateSymbolicLinkPrivilege
policy_type: secedit
value: '*S-1-5-32-544'
@@ -558,9 +546,6 @@
- name: SeLoadDriverPrivilege
policy_type: secedit
value: '*S-1-5-32-544'
-- name: SeLockMemoryPrivilege
- policy_type: secedit
- value: ''
- name: SeSecurityPrivilege
policy_type: secedit
value: '*S-1-5-32-544'
@@ -582,12 +567,3 @@
- name: SeNetworkLogonRight
policy_type: secedit
value: '*S-1-5-32-544,*S-1-5-11'
-- name: SeEnableDelegationPrivilege
- policy_type: secedit
- value: ''
-- name: SeTcbPrivilege
- policy_type: secedit
- value: ''
-- name: SeTrustedCredManAccessPrivilege
- policy_type: secedit
- value: ''
From d7d8ceae7c8747e1901166071d9da129553ca79c Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Tue, 6 Aug 2024 16:46:56 -0400
Subject: [PATCH 13/22] Add blank state init.sls files
---
ash-windows/stig/Windows_2022Server_DC/init.sls | 1 +
ash-windows/stig/Windows_2022Server_MS/init.sls | 1 +
2 files changed, 2 insertions(+)
create mode 100644 ash-windows/stig/Windows_2022Server_DC/init.sls
create mode 100644 ash-windows/stig/Windows_2022Server_MS/init.sls
diff --git a/ash-windows/stig/Windows_2022Server_DC/init.sls b/ash-windows/stig/Windows_2022Server_DC/init.sls
new file mode 100644
index 0000000..1ba4ad6
--- /dev/null
+++ b/ash-windows/stig/Windows_2022Server_DC/init.sls
@@ -0,0 +1 @@
+#No additional stig requirements
diff --git a/ash-windows/stig/Windows_2022Server_MS/init.sls b/ash-windows/stig/Windows_2022Server_MS/init.sls
new file mode 100644
index 0000000..1ba4ad6
--- /dev/null
+++ b/ash-windows/stig/Windows_2022Server_MS/init.sls
@@ -0,0 +1 @@
+#No additional stig requirements
From 8e7b0518579c3d013a3d683044e055a612397f4f Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Wed, 7 Aug 2024 09:59:09 -0400
Subject: [PATCH 14/22] Add new DOD CA cert configs from installroot
---
ash-windows/stig/dodcerts.sls | 165 ++++++++++++++++++++++++++++++++++
1 file changed, 165 insertions(+)
diff --git a/ash-windows/stig/dodcerts.sls b/ash-windows/stig/dodcerts.sls
index d258a02..5113c54 100644
--- a/ash-windows/stig/dodcerts.sls
+++ b/ash-windows/stig/dodcerts.sls
@@ -711,6 +711,171 @@ CERTS = [
.upper()
),
},
+ {
+ 'id': 'SV-254442r921943_rule',
+ 'keys': [
+ r'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF',
+ ],
+ 'vdata': base64.b16decode(
+ '19000000010000001000000064e538af3f9c3db9371ccc5d6d0cbea40f000000'
+ '0100000030000000fc40844747a19f02135b1a9533f8bb03b52e41cf77d85026'
+ '9334b82839ddbb40f0ff150daa2600f064a3ae8bd3c814c90300000001000000'
+ '14000000d37ecf61c0b4ed88681ef3630c4e2fc787b37aef1400000001000000'
+ '14000000134f3cbbdb5d4529a59470b6daac9e4ce22fc10b2000000001000000'
+ '79050000308205753082035da003020102020101300d06092a864886f70d0101'
+ '0c0500305b310b300906035504061302555331183016060355040a130f552e53'
+ '2e20476f7665726e6d656e74310c300a060355040b1303446f44310c300a0603'
+ '55040b1303504b49311630140603550403130d446f4420526f6f742043412036'
+ '3020170d3233303132343136333631375a180f32303533303132343136333631'
+ '375a305b310b300906035504061302555331183016060355040a130f552e532e'
+ '20476f7665726e6d656e74310c300a060355040b1303446f44310c300a060355'
+ '040b1303504b49311630140603550403130d446f4420526f6f74204341203630'
+ '820222300d06092a864886f70d01010105000382020f003082020a0282020100'
+ 'bca81bbed30e753a41bc7f0dd17874bf8ad729f401050b8113c2e9ad7f0952fa'
+ 'd9b1054dee9493c04c81c2fd308e83a4e4b2f8a3bf0b7c44976680e5108f5bbf'
+ 'f8f128e82eed80180ce6dd114779180852368f5b5139b2785d514468b94a245f'
+ '64cad09e83bf1c67fbe51b9e6d5024e584055ad3d141fa9f58957e53363bef13'
+ '9efb801faf78e20e41d176ba28de0ea70df6e8bc6b1cee049c0b239a23bb50b2'
+ 'b01ad067fc9e39b30df7f208b2f153d8035d11567a41d0a14edc2685db40c457'
+ 'b395a8a8241e3df384c4e5a3782bbe9079af6fce68d0d4f9a7db7b4673354dc2'
+ '9c9163b84ecf9bfb49a9f06504c9ef19ba4549132ee1e315d5707f4c74f39b78'
+ '0e38685d9e1662466a4f4606347067825debd27314481c696d0f2598e7e1f83e'
+ '62ad4ac1c5460f6017acaed0bf2f4b31401cce32a5186ccba9373de50e29593d'
+ 'cb9ea3d7cd77207815abbddf6ad6d77fe3f42f0ab736c081800fce6baec11331'
+ '752dc95c1f2bdd9b5cfcc225b17c5b5dba8931d5202d9d33195a12d15a7c5afc'
+ '6dede288afde067d01dabdbd8f5feded1b60673a827816036b11b4b6f35ee787'
+ 'ad4bc3cd051c8ee16cc99f6086955df91daae1c638e8faaee0955c88c42275af'
+ 'ed28ba61fbf357ebe13ee6fc7e6e139f2a4a2aaa7eed448a1c6c7f872221fd00'
+ 'd0be1ae631c603006378269232c525a0f808ea6fb6fe1d0f1df87eff3669e9b1'
+ '0203010001a3423040301d0603551d0e04160414134f3cbbdb5d4529a59470b6'
+ 'daac9e4ce22fc10b300e0603551d0f0101ff040403020186300f0603551d1301'
+ '01ff040530030101ff300d06092a864886f70d01010c05000382020100b69cd9'
+ 'e10283d63721090cfb6a7ba3ab21f03817838825d9033da63a28c583fd0eb19f'
+ '99a9228ef5c8cdf54dc87de47338914fbf2af50fa023963a2cb82c39275810f3'
+ '35d0fe91750c1aa42efbe81e225409cfc25fd841e97afe6346976c0d5281c2e5'
+ '763f7e90247cc6809876d364ceeaa9d1c80bb86dbf24e7030697c59105add58a'
+ 'c7e48d15f0d8df0253b2e3f9faef86e46cff746e0a822fed5e14bff6b85da543'
+ '2116ced40c833971c1916c7370b295f8dc9cad55beb54e6d1398a820add43b75'
+ '1496fc816d8ee72345b0f9f9c0fc357935ce10fedb056166729efd6313bff607'
+ '467a357f0c9e85bfb73c5ca2b8b126a9711fc550f90787d7aa4852977058d74c'
+ '12a6f0a9bd8b7c1bb080d25d12d9e2ddad851b6da581c02dd7b5ba0b143c5dbe'
+ 'f109ddef40af2e64e3e84785db6260f68dbfb1d5560ec9f11f0f9bd3024e4ec0'
+ 'e782bf74b5d9c2deaa40b23e35142eac560c643ebfa38d3ea6e6ae80efdce22f'
+ '7702d1604f93991aa3de23e4d0e5ff30acbb949e8c68d6a2321ffd314f69b80b'
+ 'c7ea334ef08ba519728785eb57081d22c4ce0e7c76c44dcc7f1918b3fa8bfaf9'
+ 'bf616fcacf114a7e5729c3ba3a662152d611a07d9858d9f9847775673917340d'
+ '57b0791b61bb42e56286cb6d31954f5282f3dfcfe70dadd16dc9637b940c8ccb'
+ '030403b2aa9ad42df2925e3dc8dbc73c1daa87ed34aae4dee7293281c5'
+ .upper()
+ ),
+ },
+ {
+ 'id': 'SV-254443r890553_rule',
+ 'keys': [
+ r'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\49CBE933151872E17C8EAE7F0ABA97FB610F6477',
+ ],
+ 'vdata': base64.b16decode(
+ '0f0000000100000020000000218c13a44c41140235dbc6282efd960147673155'
+ 'bd10530b93a1e604cfe7bb8d03000000010000001400000049cbe933151872e1'
+ '7c8eae7f0aba97fb610f647720000000010000004a050000308205463082042e'
+ 'a0030201020202087b300d06092a864886f70d01010b0500306c310b30090603'
+ '5504061302555331183016060355040a130f552e532e20476f7665726e6d656e'
+ '74310c300a060355040b1303446f44310c300a060355040b1303504b49312730'
+ '250603550403131e446f4420496e7465726f7065726162696c69747920526f6f'
+ '742043412032301e170d3231313131363134353731365a170d32343131313631'
+ '34353731365a305b310b300906035504061302555331183016060355040a130f'
+ '552e532e20476f7665726e6d656e74310c300a060355040b1303446f44310c30'
+ '0a060355040b1303504b49311630140603550403130d446f4420526f6f742043'
+ '41203330820122300d06092a864886f70d01010105000382010f003082010a02'
+ '82010100a9ec14728ae84b70a3da100384a6fba7360d2a3a5216bf3015528605'
+ '4720cfaaa6cd75c4646eeff16023cb0a6640aeb4c8682a0051684937e959324d'
+ '95bc4327e9408d3a10ce14bc4318a1f9decce78576735e181a235bbd3f1ff2ed'
+ '8d19cc03d140a48fa720024c275a7936f6a337218e005a0616cad355966f3129'
+ 'bb720ecbe24851f2d437a435d66fee17b3b106ab0b1986e8236d311b287865c5'
+ 'de6252bcc17debeea05d5404fbb2cb2bb2235491824cf0bfba74403b0c044580'
+ '675cc5eba257c31a7f0a2dbd7fb9dcc199b0c807e40c8636943a252ff27de697'
+ '3c1b94b4975906c93ae40bd9eae9fc3b73346ffde798e4f3a1c2905f1cf53f2e'
+ 'd719d37f0203010001a3820201308201fd301f0603551d23041830168014fff8'
+ 'ae138b922b799241a3765c2c819e9ac59c78300f0603551d130101ff04053003'
+ '0101ff300e0603551d0f0101ff04040302010630470603551d1f0440303e303c'
+ 'a03aa0388636687474703a2f2f63726c2e646973612e6d696c2f63726c2f444f'
+ '44494e5445524f5045524142494c495459524f4f544341322e63726c301d0603'
+ '551d0e041604146c8a94a277b180721d817a16aaf2dcce66ee45c0307c06082b'
+ '060105050701010470306e304a06082b06010505073002863e687474703a2f2f'
+ '63726c2e646973612e6d696c2f697373756564746f2f444f44494e5445524f50'
+ '45524142494c495459524f4f544341325f49542e703763302006082b06010505'
+ '0730018614687474703a2f2f6f6373702e646973612e6d696c30760603551d20'
+ '046f306d300b0609608648016502010b24300b0609608648016502010b27300b'
+ '0609608648016502010b2a300c060a6086480165030201030d300c060a608648'
+ '01650302010311300c060a60864801650302010327300c060a60864801650302'
+ '010328300c060a60864801650302010329300f0603551d240101ff0405300380'
+ '0100304a06082b0601050507010b043e303c303a06082b06010505073005862e'
+ '687474703a2f2f63726c2e646973612e6d696c2f69737375656462792f444f44'
+ '524f4f544341335f49422e703763300d06092a864886f70d01010b0500038201'
+ '0100dc97193aefa99324086b43e2a1bcac0867a87d7c95562efdb8906342505d'
+ '912affb377545066b10d2562dbcc05b5f570d599a0c7a9e7c33e731c5d9b7ac0'
+ '558b82fd53531f7b32b8fa0ce7035b3cd0f7cf50150c576a0a2068fb9fe1749c'
+ '8074ce4e50ec75b971558529791b9df893f8e50051f5d62c1b84f0a6ee2eee47'
+ '896fffa9a22d0b99d3a5f81cdb0468ebf2de8086086c0f6aa5f5ee021bf4d3e9'
+ '9963c67ff8f78f6e034ab21002eb8ebb4b2709cf9fc601c21e0fac25aaa012ea'
+ '00b99ebcaf4cd4f30062b7c4619d02efefc5bab7a2ec8e7307fcb25254165dbe'
+ '1e66b19eb355b3597eb70d178c294f0c3918cd4c0dd5008e58afb8455420d204'
+ 'a003'
+ .upper()
+ ),
+ },
+ {
+ 'id': 'SV-254444r894343_rule',
+ 'keys': [
+ r'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9B74964506C7ED9138070D08D5F8B969866560C8',
+ ],
+ 'vdata': base64.b16decode(
+ '0f00000001000000200000007ed1d675f37b9e355c9ff616846b03f83d1f3534e'
+ '5748dc868e304b1e19fecf40300000001000000140000009b74964506c7ed9138'
+ '070d08d5f8b969866560c820000000010000001905000030820515308203fda00'
+ '3020102020205c7300d06092a864886f70d01010b05003074310b300906035504'
+ '061302555331183016060355040a130f552e532e20476f7665726e6d656e74310'
+ 'c300a060355040b1303446f44310c300a060355040b1303504b49312f302d0603'
+ '5504031326555320446f44204343454220496e7465726f7065726162696c69747'
+ '920526f6f742043412032301e170d3232303731393133353632325a170d323530'
+ '3731383133353632325a305b310b3009060355040613025553311830160603550'
+ '40a130f552e532e20476f7665726e6d656e74310c300a060355040b1303446f44'
+ '310c300a060355040b1303504b49311630140603550403130d446f4420526f6f7'
+ '4204341203330820122300d06092a864886f70d01010105000382010f00308201'
+ '0a0282010100a9ec14728ae84b70a3da100384a6fba7360d2a3a5216bf3015528'
+ '6054720cfaaa6cd75c4646eeff16023cb0a6640aeb4c8682a0051684937e95932'
+ '4d95bc4327e9408d3a10ce14bc4318a1f9decce78576735e181a235bbd3f1ff2e'
+ 'd8d19cc03d140a48fa720024c275a7936f6a337218e005a0616cad355966f3129'
+ 'bb720ecbe24851f2d437a435d66fee17b3b106ab0b1986e8236d311b287865c5d'
+ 'e6252bcc17debeea05d5404fbb2cb2bb2235491824cf0bfba74403b0c04458067'
+ '5cc5eba257c31a7f0a2dbd7fb9dcc199b0c807e40c8636943a252ff27de6973c1'
+ 'b94b4975906c93ae40bd9eae9fc3b73346ffde798e4f3a1c2905f1cf53f2ed719'
+ 'd37f0203010001a38201c8308201c4301f0603551d23041830168014162b91dae'
+ '2170c96ab5c7dde7d48f25da800ace7301d0603551d0e041604146c8a94a277b1'
+ '80721d817a16aaf2dcce66ee45c0300e0603551d0f0101ff04040302010630300'
+ '603551d2004293027300b0609608648016502010b24300b060960864801650201'
+ '0b27300b0609608648016502010b2a300f0603551d130101ff040530030101ff3'
+ '00f0603551d240101ff04053003800100304d0603551d1f044630443042a040a0'
+ '3e863c687474703a2f2f63726c2e646973612e6d696c2f63726c2f5553444f444'
+ '3434542494e5445524f5045524142494c495459524f4f544341322e63726c3081'
+ '8206082b0601050507010104763074305006082b0601050507300286446874747'
+ '03a2f2f63726c2e646973612e6d696c2f697373756564746f2f5553444f444343'
+ '4542494e5445524f5045524142494c495459524f4f544341325f49542e7037633'
+ '02006082b060105050730018614687474703a2f2f6f6373702e646973612e6d69'
+ '6c304a06082b0601050507010b043e303c303a06082b06010505073005862e687'
+ '474703a2f2f63726c2e646973612e6d696c2f69737375656462792f444f44524f'
+ '4f544341335f49422e703763300d06092a864886f70d01010b050003820101003'
+ '48309c512b15ce9b12b650ddfa62347e8e55d9dde66dc76bda8de3e0a8d8c6646'
+ 'ebc2661604ad9d3be77d1ce3ce8a02587102e04b8701ff5fbe5dbdc1bd3beeb69'
+ '6510fbdb3deaae1a4dd2967b94610bd7163ad691019eae3da3b4afc9dd39010a3'
+ '15ef1905e1b4e520b0929a83ad3b90e4cdcda3396da29c832e39b1abb964386d0'
+ '6c73c8e8bd4d0ba6027e140d8c3b564204b3b4c470c674f454922e0c934cb931d'
+ '40dff0c44a297815e5c60b0b902b7b116611190e589e8cee94abcf75bf150d3d6'
+ 'fcedeeffe74fa155196e64a513163c4121e269a33d14e109afa422c6a8ab65304'
+ '6f4ed0f7f77d17c2b669f87999c1ef61ab217cbf64b244edb9498106'
+ .upper()
+ ),
+ },
]
def run():
From a6139d6925233079bb1b696b20ac25b3ec5bcf6e Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Thu, 8 Aug 2024 10:02:10 -0400
Subject: [PATCH 15/22] Updates IAVM per scap scan findings
---
ash-windows/iavm/iavm.yml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ash-windows/iavm/iavm.yml b/ash-windows/iavm/iavm.yml
index 5c6e0e7..5dbf1f8 100644
--- a/ash-windows/iavm/iavm.yml
+++ b/ash-windows/iavm/iavm.yml
@@ -12,7 +12,11 @@
vtype: DWORD
- key: Computer\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
policy_type: regpol
- value: '2688'
+ value: '2048'
+ vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\IEDevTools\Disabled
+ policy_type: regpol
+ value: '1'
vtype: DWORD
- key: Computer\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\Enabled
policy_type: regpol
From d38691958077c90414dad81ea3003607f54ad51a Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 9 Aug 2024 11:42:13 -0400
Subject: [PATCH 16/22] Corrects registry path
---
ash-windows/iavm/iavm.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ash-windows/iavm/iavm.yml b/ash-windows/iavm/iavm.yml
index 5dbf1f8..720f5e9 100644
--- a/ash-windows/iavm/iavm.yml
+++ b/ash-windows/iavm/iavm.yml
@@ -14,7 +14,7 @@
policy_type: regpol
value: '2048'
vtype: DWORD
-- key: Computer\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\IEDevTools\Disabled
+- key: Computer\Software\Policies\Microsoft\Internet Explorer\IEDevTools\Disabled
policy_type: regpol
value: '1'
vtype: DWORD
From 87686bc3c51186daed8a6bebca69a3e0fc6684e8 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 9 Aug 2024 14:28:40 -0400
Subject: [PATCH 17/22] Add instructions to update dodcert.sls
---
ash-windows/stig/Update_DOD_CA_certs.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
create mode 100644 ash-windows/stig/Update_DOD_CA_certs.md
diff --git a/ash-windows/stig/Update_DOD_CA_certs.md b/ash-windows/stig/Update_DOD_CA_certs.md
new file mode 100644
index 0000000..db9cf0e
--- /dev/null
+++ b/ash-windows/stig/Update_DOD_CA_certs.md
@@ -0,0 +1,14 @@
+Over time, as old DoD Root CAs expire and new ones are released, it will be necessary to update [dodcerts.sls](https://github.com/plus3it/ash-windows-formula/blob/master/ash-windows/stig/dodcerts.sls) to incorporate the new DoD CA guidance.
+
+Process to update `dodcerts.sls`:
+- Obtain new Windows SCAP content from [DoD Cyber Exchange ](https://public.cyber.mil/stigs/scap/) and incorporate the new content in the `disa` folder of the [scap-formula](https://github.com/plus3it/scap-formula/tree/master/scap/content/guides/disa) project
+
+- Generate a SCAP scan and determine if the report indicates any DoD CA-related findings
+
+- If DoD CA findings exist, there will be a `Fix Text` section providing information on how to resolve the finding. For Windows, it involves downloading the latest version of the InstallRoot Windows installer. InstallRoot can be obtained from the public [DoD Cyber Exchange PKI/PKE](https://public.cyber.mil/pki-pke/tools-configuration-files/) website.
+
+- Download the desired Windows installer and apply it to the system
+
+- Re-run the SCAP scan to generate a new report. The new report should indicate the DoD CA findings have been resolved. For each DoD CA finding resolved, there will be a `Test` section indicating the results of the check. The result should indicate `true`. The `Collected Item/State Result` field should contain the registry information that can now be used to update `dodcert.sls`
+
+
From 31dc09d1cc005d36acadf34375601d5331a16a0d Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 16 Aug 2024 12:48:13 -0400
Subject: [PATCH 18/22] Updates conversion to properly process line breaks
---
ash-windows/tools/convert-lgpo-policy.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/ash-windows/tools/convert-lgpo-policy.py b/ash-windows/tools/convert-lgpo-policy.py
index ef16ac4..d97aab3 100644
--- a/ash-windows/tools/convert-lgpo-policy.py
+++ b/ash-windows/tools/convert-lgpo-policy.py
@@ -73,10 +73,16 @@ def _convert_secedit(src):
policy["key"] = line.split("=")[0].strip()
policy["vtype"] = REG_CODE_MAP[line.split("=")[1].split(",")[0].strip()]
policy["value"] = (
- "".join(line.split("=")[1].split(",")[1:])
+ ",".join(
+ [
+ segment.replace(",", "\n")
+ for segment in ",".join(
+ line.split("=")[1].split(",")[1:]
+ ).split('","')
+ ]
+ )
.strip()
.strip('"')
- .replace('""', "")
)
if not policy["vtype"].upper() in REG_TYPES:
print(
From 958908e46d1ab3df59c2fd9867e3ef3fae8cbecf Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 16 Aug 2024 13:50:13 -0400
Subject: [PATCH 19/22] Updated stig.yml files with new banner text
---
ash-windows/stig/Windows_11/stig.yml | 44 +++++++++++--------
.../stig/Windows_2022Server_DC/stig.yml | 42 +++++++++++-------
.../stig/Windows_2022Server_MS/stig.yml | 42 +++++++++++-------
3 files changed, 76 insertions(+), 52 deletions(-)
diff --git a/ash-windows/stig/Windows_11/stig.yml b/ash-windows/stig/Windows_11/stig.yml
index 2d4c891..0cf51d4 100644
--- a/ash-windows/stig/Windows_11/stig.yml
+++ b/ash-windows/stig/Windows_11/stig.yml
@@ -96,7 +96,7 @@
vtype: DWORD
- key: Computer\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\EccCurves
policy_type: regpol
- value: NistP384 NistP256
+ value: NistP384\0NistP256
vtype: MULTISZ
- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup
policy_type: regpol
@@ -592,23 +592,31 @@
vtype: DWORD
- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
policy_type: regpol
- value: You are accessing a U.S. Government (USG) Information System (IS) that is
- provided for USG-authorized use only.By using this IS (which includes any device
- attached to this IS) you consent to the following conditions:-The USG routinely
- intercepts and monitors communications on this IS for purposes including but
- not limited to penetration testing COMSEC monitoring network operations
- and defense personnel misconduct (PM) law enforcement (LE) and counterintelligence
- (CI) investigations.-At any time the USG may inspect and seize data stored on
- this IS.-Communications using or data stored on this IS are not private
- are subject to routine monitoring interception and search and may be disclosed
- or used for any USG-authorized purpose.-This IS includes security measures (e.g.
- authentication and access controls) to protect USG interests--not for your personal
- benefit or privacy.-Notwithstanding the above using this IS does not constitute
- consent to PM LE or CI investigative searching or monitoring of the content
- of privileged communications or work product related to personal representation
- or services by attorneys psychotherapists or clergy and their assistants.
- Such communications and work product are private and confidential. See User Agreement
- for details.
+ value: 'You are accessing a U.S. Government (USG) Information System (IS) that is
+ provided for USG-authorized use only.
+
+ By using this IS (which includes any device attached to this IS), you consent
+ to the following conditions:
+
+ -The USG routinely intercepts and monitors communications on this IS for purposes
+ including, but not limited to, penetration testing, COMSEC monitoring, network
+ operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence
+ (CI) investigations.
+
+ -At any time, the USG may inspect and seize data stored on this IS.
+
+ -Communications using, or data stored on, this IS are not private, are subject
+ to routine monitoring, interception, and search, and may be disclosed or used
+ for any USG-authorized purpose.
+
+ -This IS includes security measures (e.g., authentication and access controls)
+ to protect USG interests--not for your personal benefit or privacy.
+
+ -Notwithstanding the above, using this IS does not constitute consent to PM, LE
+ or CI investigative searching or monitoring of the content of privileged communications,
+ or work product, related to personal representation or services by attorneys,
+ psychotherapists, or clergy, and their assistants. Such communications and work
+ product are private and confidential. See User Agreement for details.'
vtype: MULTISZ
- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
policy_type: regpol
diff --git a/ash-windows/stig/Windows_2022Server_DC/stig.yml b/ash-windows/stig/Windows_2022Server_DC/stig.yml
index 48afdc4..3a2b4f6 100644
--- a/ash-windows/stig/Windows_2022Server_DC/stig.yml
+++ b/ash-windows/stig/Windows_2022Server_DC/stig.yml
@@ -363,23 +363,31 @@
vtype: SZ
- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
policy_type: regpol
- value: You are accessing a U.S. Government (USG) Information System (IS) that is
- provided for USG-authorized use only.By using this IS (which includes any device
- attached to this IS) you consent to the following conditions:-The USG routinely
- intercepts and monitors communications on this IS for purposes including but
- not limited to penetration testing COMSEC monitoring network operations
- and defense personnel misconduct (PM) law enforcement (LE) and counterintelligence
- (CI) investigations.-At any time the USG may inspect and seize data stored on
- this IS.-Communications using or data stored on this IS are not private
- are subject to routine monitoring interception and search and may be disclosed
- or used for any USG-authorized purpose.-This IS includes security measures (e.g.
- authentication and access controls) to protect USG interests--not for your personal
- benefit or privacy.-Notwithstanding the above using this IS does not constitute
- consent to PM LE or CI investigative searching or monitoring of the content
- of privileged communications or work product related to personal representation
- or services by attorneys psychotherapists or clergy and their assistants.
- Such communications and work product are private and confidential. See User Agreement
- for details.
+ value: 'You are accessing a U.S. Government (USG) Information System (IS) that is
+ provided for USG-authorized use only.
+
+ By using this IS (which includes any device attached to this IS), you consent
+ to the following conditions:
+
+ -The USG routinely intercepts and monitors communications on this IS for purposes
+ including, but not limited to, penetration testing, COMSEC monitoring, network
+ operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence
+ (CI) investigations.
+
+ -At any time, the USG may inspect and seize data stored on this IS.
+
+ -Communications using, or data stored on, this IS are not private, are subject
+ to routine monitoring, interception, and search, and may be disclosed or used
+ for any USG-authorized purpose.
+
+ -This IS includes security measures (e.g., authentication and access controls)
+ to protect USG interests--not for your personal benefit or privacy.
+
+ -Notwithstanding the above, using this IS does not constitute consent to PM, LE
+ or CI investigative searching or monitoring of the content of privileged communications,
+ or work product, related to personal representation or services by attorneys,
+ psychotherapists, or clergy, and their assistants. Such communications and work
+ product are private and confidential. See User Agreement for details.'
vtype: MULTISZ
- key: MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
policy_type: regpol
diff --git a/ash-windows/stig/Windows_2022Server_MS/stig.yml b/ash-windows/stig/Windows_2022Server_MS/stig.yml
index 7927e5a..806d680 100644
--- a/ash-windows/stig/Windows_2022Server_MS/stig.yml
+++ b/ash-windows/stig/Windows_2022Server_MS/stig.yml
@@ -367,23 +367,31 @@
vtype: SZ
- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
policy_type: regpol
- value: You are accessing a U.S. Government (USG) Information System (IS) that is
- provided for USG-authorized use only.By using this IS (which includes any device
- attached to this IS) you consent to the following conditions:-The USG routinely
- intercepts and monitors communications on this IS for purposes including but
- not limited to penetration testing COMSEC monitoring network operations
- and defense personnel misconduct (PM) law enforcement (LE) and counterintelligence
- (CI) investigations.-At any time the USG may inspect and seize data stored on
- this IS.-Communications using or data stored on this IS are not private
- are subject to routine monitoring interception and search and may be disclosed
- or used for any USG-authorized purpose.-This IS includes security measures (e.g.
- authentication and access controls) to protect USG interests--not for your personal
- benefit or privacy.-Notwithstanding the above using this IS does not constitute
- consent to PM LE or CI investigative searching or monitoring of the content
- of privileged communications or work product related to personal representation
- or services by attorneys psychotherapists or clergy and their assistants.
- Such communications and work product are private and confidential. See User Agreement
- for details.
+ value: 'You are accessing a U.S. Government (USG) Information System (IS) that is
+ provided for USG-authorized use only.
+
+ By using this IS (which includes any device attached to this IS), you consent
+ to the following conditions:
+
+ -The USG routinely intercepts and monitors communications on this IS for purposes
+ including, but not limited to, penetration testing, COMSEC monitoring, network
+ operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence
+ (CI) investigations.
+
+ -At any time, the USG may inspect and seize data stored on this IS.
+
+ -Communications using, or data stored on, this IS are not private, are subject
+ to routine monitoring, interception, and search, and may be disclosed or used
+ for any USG-authorized purpose.
+
+ -This IS includes security measures (e.g., authentication and access controls)
+ to protect USG interests--not for your personal benefit or privacy.
+
+ -Notwithstanding the above, using this IS does not constitute consent to PM, LE
+ or CI investigative searching or monitoring of the content of privileged communications,
+ or work product, related to personal representation or services by attorneys,
+ psychotherapists, or clergy, and their assistants. Such communications and work
+ product are private and confidential. See User Agreement for details.'
vtype: MULTISZ
- key: MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
policy_type: regpol
From f6cb3a699f1a589e79f6ad81c4cae91974cd2626 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 16 Aug 2024 14:07:53 -0400
Subject: [PATCH 20/22] Adds newline handling for .pol files
---
ash-windows/stig/Windows_11/stig.yml | 4 +++-
ash-windows/tools/convert-lgpo-policy.py | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ash-windows/stig/Windows_11/stig.yml b/ash-windows/stig/Windows_11/stig.yml
index 0cf51d4..c71e896 100644
--- a/ash-windows/stig/Windows_11/stig.yml
+++ b/ash-windows/stig/Windows_11/stig.yml
@@ -96,7 +96,9 @@
vtype: DWORD
- key: Computer\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\EccCurves
policy_type: regpol
- value: NistP384\0NistP256
+ value: 'NistP384
+
+ NistP256'
vtype: MULTISZ
- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup
policy_type: regpol
diff --git a/ash-windows/tools/convert-lgpo-policy.py b/ash-windows/tools/convert-lgpo-policy.py
index d97aab3..deb46eb 100644
--- a/ash-windows/tools/convert-lgpo-policy.py
+++ b/ash-windows/tools/convert-lgpo-policy.py
@@ -37,7 +37,7 @@ def _convert_regpol(src):
policy["action"] = src[index + 3]
else:
policy["vtype"] = src[index + 3].split(":")[0]
- policy["value"] = src[index + 3].split(":")[1]
+ policy["value"] = src[index + 3].split(":")[1].replace("\\0", "\n")
policies.append(policy)
except IndexError as exc:
raise SystemError(
From 998ceb7725621ada06195937ffa42acf45336293 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 16 Aug 2024 15:38:06 -0400
Subject: [PATCH 21/22] Adds empty init.sls for Salt state handling
---
ash-windows/stig/Windows_11/init.sls | 1 +
1 file changed, 1 insertion(+)
create mode 100644 ash-windows/stig/Windows_11/init.sls
diff --git a/ash-windows/stig/Windows_11/init.sls b/ash-windows/stig/Windows_11/init.sls
new file mode 100644
index 0000000..1ba4ad6
--- /dev/null
+++ b/ash-windows/stig/Windows_11/init.sls
@@ -0,0 +1 @@
+#No additional stig requirements
From dd8cd7a7d5d0ba4e98265fe9b4e20b051fd44b10 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Mon, 19 Aug 2024 10:23:23 -0400
Subject: [PATCH 22/22] Adds additional Windows 11 STIGs
---
ash-windows/stig/Windows_11/init.sls | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/ash-windows/stig/Windows_11/init.sls b/ash-windows/stig/Windows_11/init.sls
index 1ba4ad6..3d3309d 100644
--- a/ash-windows/stig/Windows_11/init.sls
+++ b/ash-windows/stig/Windows_11/init.sls
@@ -1 +1,9 @@
-#No additional stig requirements
+SV-253283r828933_rule - Data Execution Prevention (DEP) must be configured to at least OptOut:
+ cmd.run:
+ - name: BCDEDIT /set "{current}" nx OptOut
+ - shell: powershell
+
+SV-253285r828939_rule - The Windows PowerShell 2.0 feature must be disabled on the system:
+ cmd.run:
+ - name: Disable-WindowsOptionalFeature -Online -NoRestart -FeatureName MicrosoftWindowsPowerShellV2Root
+ - shell: powershell