Forge Home

cis_security_hardening_windows

Harden Windows 10 & 11 to CIS standards

428 downloads

65 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.1 (latest)
  • 1.0.0
  • 0.2.3
  • 0.2.2
  • 0.2.1
  • 0.2.0
  • 0.1.1
  • 0.1.0 (deleted)
released Oct 8th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'canihavethisone-cis_security_hardening_windows', '1.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add canihavethisone-cis_security_hardening_windows
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install canihavethisone-cis_security_hardening_windows --version 1.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

canihavethisone/cis_security_hardening_windows — version 1.0.1 Oct 8th 2024

build status

cis_security_hardening_windows

Table of Contents

  1. Overview
  2. Description
  3. Building on CIS controls
  4. Beginning with os_hardening
  5. CIS Enforcement Levels
  6. Reference
  7. Development
  8. Release Notes

Overview

This module applies CIS benchmark hardening with a default 100% validation pass and 100% test coverage to:

  • Windows 10: Configurable, defaulted to domain-joined Level 1 & 2 + NG + BL (currently v3.0.0)
  • Windows 11: Configurable, defaulted to domain-joined Level 1 & 2 + BL (currently v3.0.0)

It also configures additional system resources as described below

Description

Windows CIS controls and other resources are applied using registry, security policy, audit policy, optional local group policy (for HKCU controls), execs and dependency modules.

This module uses a custom windows facts hash leveraging wmi, as reading the registry is unreliable for Windows 11 (and predicted for future versions).

Building on CIS controls

Additional resources are also defined, including:

Windows 10 / 11

  • users
  • remote desktop
  • firewall (limited)

Other Windows 10 / 11 parameters include:

  • cis_profile_type
  • cis_enforcement_level
  • cis_include_bitlocker
  • cis_include_nextgen
  • cis_include_hkcu
  • cis_exclude_rules
  • catalog_no_cache
  • clear_temp_files
  • enable_administrator
  • purge_unmanaged_users
  • performance_powerscheme
  • enable_remote_desktop

Defence in-depth

This module takes a defence in-depth approach, with the following built-in functions:

  • undefined users can be optionally purged (except system users)
  • where CIS recommendations have more than 1 acceptable setting, the more stringent is used

Beginning with cis_security_hardening_windows

To use this module, include cis_security_hardening_windows in your Node Classifier (ENC) or wrapping class.

At minimum, the following hiera must be provided to the module:

Windows 10 / 11:

  • cis_security_hardening_windows::logon_banner (string)
  • cis_security_hardening_windows::logon_message (string)
  • cis_security_hardening_windows::administrator_newname (string)
  • cis_security_hardening_windows::administrator_newpassword (string)
  • cis_security_hardening_windows::disabled_guest_newname (string)
  • cis_security_hardening_windows::users (hash) is required if the built-in administrator is disabled (default)

See example minimum hiera data here

CIS Enforcement Levels

  • All recommended domain-joined Level 1 & 2 + NG + BL CIS controls are enforced by default using module hiera (standalone selectable)
  • HKCU registry entries are also optionally applied by copying a preconfigured Registry.pol file to C:/Windows/System32/GroupPolicy/
  • Comments in module hiera identify the objective of each setting however CIS reference numbers are not shown as they are subject to change
  • Profile Type, Enforcement Level (1 or 2 (1+2)), BitLocker (BL), NextGen (NG) and HKCU policy inclusion are parameterised:
    cis_security_hardening_windows::cis_profile_type:      'domain'
    cis_security_hardening_windows::cis_enforcement_level: 2
    cis_security_hardening_windows::cis_include_bitlocker: true
    cis_security_hardening_windows::cis_include_nextgen:   true
    cis_security_hardening_windows::cis_include_hkcu:      true
    
  • A reference list of rules enforced via the system registry is in the hiera folder for each Windows version, eg here. Note that some additional rules are applied by Local Security Policy and Audit Policy resources however.
  • Individual controls can be overridden by any of the following methods:
    • creating a optional hiera array for cis_security_hardening_windows::cis_exclude_rules containing rule titles to be subtracted from the default included hashes (note that some rules are managed by the local_security_policy or cis_auditpol):
      cis_security_hardening_windows::cis_exclude_rules:
        - "(L1) Ensure 'Allow users to enable online speech recognition services is set to 'Disabled'"
        - "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'"
      
    • creating a hiera hash containing keys with different values at a higher precedence (eg domain or node) and titled any of:
      cis_security_hardening_windows::cis_level_1
      cis_security_hardening_windows::cis_level_2
      cis_security_hardening_windows::cis_bitlocker
      cis_security_hardening_windows::cis_nextgen
      cis_security_hardening_windows::cis_secpol_level_1
      cis_security_hardening_windows::cis_secpol_level_2
      cis_security_hardening_windows::cis_auditpol
      
    • other methods such as resource collectors to override registry key values if wrapping this module into your own class or control repo

Reference

See the Puppet Strings documentation.

Development

Github repo is available for contributions at https://github.com/canihavethisone/cis_security_hardening_windows

Release Notes

See changelog