105 lines
3.8 KiB
YAML
105 lines
3.8 KiB
YAML
|
|
- name: Windows Security Configuration
|
|
hosts: windows
|
|
gather_facts: yes
|
|
tasks:
|
|
# ============================================================
|
|
# SYSTEM ADMINISTRATION ELEMENT: Shared Folder Management
|
|
# ============================================================
|
|
- name: Create secure shared folder
|
|
win_file:
|
|
path: C:\SecureShare
|
|
state: directory
|
|
tags: file_mgmt
|
|
|
|
- name: Share the secure folder
|
|
win_share:
|
|
name: SecureData
|
|
path: C:\SecureShare
|
|
description: "Secure data repository"
|
|
list: yes
|
|
full: Administrators
|
|
read: "Domain Users"
|
|
deny: "Everyone"
|
|
tags: file_mgmt
|
|
|
|
- name: Set NTFS permissions on secure folder
|
|
win_acl:
|
|
path: C:\SecureShare
|
|
user: Administrators
|
|
rights: FullControl
|
|
type: allow
|
|
state: present
|
|
inheritance_flags: "ContainerInherit,ObjectInherit"
|
|
tags: ntfs_perms
|
|
|
|
- name: Add read permissions for authenticated users
|
|
win_acl:
|
|
path: C:\SecureShare
|
|
user: "Authenticated Users"
|
|
rights: ReadAndExecute
|
|
type: allow
|
|
state: present
|
|
inheritance_flags: "ContainerInherit,ObjectInherit"
|
|
tags: ntfs_perms
|
|
|
|
# ============================================================
|
|
# SYSTEM HARDENING ELEMENT: Disable Unnecessary Services
|
|
# ============================================================
|
|
- name: Check for service existence
|
|
win_shell: Get-Service -Name "{{ item }}" -ErrorAction SilentlyContinue
|
|
register: service_check
|
|
with_items:
|
|
- XblGameSave # Xbox Game Saving Service
|
|
- XboxNetApiSvc # Xbox Live Networking Service
|
|
- DiagTrack # Connected User Experiences and Telemetry
|
|
- dmwappushservice # WAP Push Message Routing Service
|
|
failed_when: false
|
|
changed_when: false
|
|
tags: hardening
|
|
|
|
- name: Disable unnecessary services if they exist
|
|
win_service:
|
|
name: "{{ item.item }}"
|
|
state: stopped
|
|
start_mode: disabled
|
|
with_items: "{{ service_check.results }}"
|
|
when: item.rc == 0
|
|
tags: hardening
|
|
|
|
- name: Report on services not found
|
|
debug:
|
|
msg: "Service {{ item.item }} not found on {{ inventory_hostname }}"
|
|
with_items: "{{ service_check.results }}"
|
|
when: item.rc != 0
|
|
tags: hardening
|
|
|
|
# ============================================================
|
|
# AD DS GPO ELEMENT 1: Password Policy
|
|
# ============================================================
|
|
- name: Configure password policy
|
|
win_security_policy:
|
|
section: System Access
|
|
key: "{{ item.key }}"
|
|
value: "{{ item.value }}"
|
|
with_items:
|
|
- { key: PasswordComplexity, value: 1 } # Enable password complexity
|
|
- { key: MinimumPasswordLength, value: 12 } # 12 character minimum
|
|
- { key: PasswordHistorySize, value: 24 } # Remember 24 passwords
|
|
when: inventory_hostname in ['wks01-charlotte', 'mgmt01-charlotte']
|
|
tags: gpo_password
|
|
|
|
# ============================================================
|
|
# AD DS GPO ELEMENT 2: Account Lockout Policy
|
|
# ============================================================
|
|
- name: Configure account lockout policy
|
|
win_security_policy:
|
|
section: System Access
|
|
key: "{{ item.key }}"
|
|
value: "{{ item.value }}"
|
|
with_items:
|
|
- { key: LockoutBadCount, value: 5 } # 5 failed attempts
|
|
- { key: ResetLockoutCount, value: 30 } # Reset counter after 30 minutes
|
|
- { key: LockoutDuration, value: 30 } # Lock for 30 minutes
|
|
when: inventory_hostname in ['wks01-charlotte', 'mgmt01-charlotte']
|
|
tags: gpo_lockout
|