# -*- coding: utf-8 -*- from setuphelpers import * import winreg def install(): #CIS-15500 - Password History run("net accounts /uniquepw:24") #CIS-15501 - Maximum password Age run("net accounts /MAXPWAGE:90") #CIS-15502 - Minimum password Age run("net accounts /minpwage:1") #CIS-15503 - Minimum password Lenght run("net accounts /MINPWLEN:14") #CIS-15505 - Relax minimum password length limits registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SAM", "RelaxMinimumPasswordLengthLimits","1") #CIS-15506 - Account lockout duration run("net accounts /lockoutduration:15") #CIS-15507 - Account lockout Threshold run("net accounts /lockoutthreshold:5") #CIS-15508 - Reset lockout counter after run("net accounts /lockoutwindow:15") #CIS-15509 - Administrator account status disabled (fr) run("net user administrateur /active:no") #CIS-15510 - 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "NoConnectedUser","3") #CIS-15511 - Guest account status disabled (fr) #run("net user Invité /active no") #CIS-15512 - Accounts: Limit local account use of blank passwords to console logon only' registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LimitBlankPasswordUse","1") #CIS-15513 - Accounts: Rename Administrator Account' (fr) run("wmic useraccount where name='Administrateur' rename 'comi-adm'") #CIS-15514 - Accounts: Rename Guest Account' (fr) run("wmic useraccount where name='Invité' rename 'comiguest'") #CIS-15515 - Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "SCENoApplyLegacyAuditPolicy","1") #CIS-15516 - Audit: Shut down system immediately if unable to log security audits registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "CrashOnAuditFail","0") #CIS-15517 - Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "AllocateDASD","2") #CIS-15518 - 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers", "AddPrinterDrivers","1") #CIS-15519 - 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireSignOrSeal","1") #CIS-15520 - 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. #CIS-15521 - 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "SealSecureChannel","1") #CIS-15522 - 'Domain member: Disable machine account password changes' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "DisablePasswordChange","0") #CIS-15523 - 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "MaximumPasswordAge","30") #CIS-15524 - 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireStrongKey","1") #CIS-15525 - 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableCAD","0") #CIS-15526 - 'Interactive logon: Don't display last signed-in' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DontDisplayLastUserName","1") #CIS-15527 - 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "MaxDevicePasswordFailedAttempts","10") #CIS-15529 - 'Interactive logon: Message text for users attempting to log on'. registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeText","Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi.",REG_SZ) #CIS-15530 - 'Interactive logon: Message title for users attempting to log on'. registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeCaption","Bienvenue sur un poste COMITARI") #CIS-15531 - 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4''. registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CachedLogonsCount","4") #CIS-15532 - 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "PasswordExpiryWarning","10") #CIS-15533 - 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "SCRemoveOption","2") #CIS-15534 - 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","2") #CIS-15535 - 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1") #CIS-15536 - 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnablePlainTextPassword","0") #CIS-15537 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "AutoDisconnect","15") #CIS-15538 - 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","1") #CIS-15539 - 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1") #CIS-15540 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableForcedLogOff","1") #CIS-15541 - Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "SMBServerNameHardeningLevel","1") #CIS-15542 - Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. #run("") #CIS-15543 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymousSAM","1") #CIS-15544 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymous","1") #CIS-15545 - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "DisableDomainCreds","1") #CIS-15546 - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "EveryoneIncludesAnonymous","0") #CIS-15547 - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. #run("") #CIS-15548 - Ensure 'Network access: Remotely accessible registry paths' is configured. # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths", "Machine","System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion") #CIS-15549 - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured. #run("") #CIS-15550 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanManServer\Parameters", "RestrictNullSessAccess","1")