dev-sec / Ansible Windows Hardening
This Ansible role provides windows hardening configurations for the DevSec Windows baseline profile.
Stars: ✭ 109
Programming Languages
ruby
36898 projects - #4 most used programming language
Projects that are alternatives of or similar to Ansible Windows Hardening
Ansiblecm
A Docker based Ansible control machine for running playbooks in a consistent environment.
Stars: ✭ 26 (-76.15%)
Mutual labels: ansible, playbook
Graphite Stack Ansible Vagrant
Provision a complete Graphite, StatsD & Grafana install using Ansible and (optionally) Vagrant
Stars: ✭ 62 (-43.12%)
Mutual labels: ansible, playbook
Azure preview modules
Azure preview modules for Ansible
Stars: ✭ 43 (-60.55%)
Mutual labels: ansible, playbook
Ansible Role Bootstrap
Prepare your system to be managed by Ansible.
Stars: ✭ 106 (-2.75%)
Mutual labels: ansible, playbook
Rocket.chat.ansible
Deploy Rocket.Chat with Ansible!
Stars: ✭ 80 (-26.61%)
Mutual labels: ansible, playbook
Openfaas On Digitalocean
Ansible playbook to create a Digital Ocean droplet and deploy OpenFaaS onto it.
Stars: ✭ 57 (-47.71%)
Mutual labels: ansible, playbook
Ansible For Devops
Ansible for DevOps examples.
Stars: ✭ 5,265 (+4730.28%)
Mutual labels: ansible, playbook
Ansible Prometheus
Ansible playbook for installing Prometheus monitoring system, exporters such as: node, snmp, blackbox, thus alert manager and push gateway
Stars: ✭ 69 (-36.7%)
Mutual labels: ansible, playbook
Ansible Ssh Hardening
This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.
Stars: ✭ 746 (+584.4%)
Mutual labels: ansible, playbook
Ansible Elk Playbook
A playbook for setting up the ELK Stack + beats log shippers on Ubuntu 16.04 and above
Stars: ✭ 83 (-23.85%)
Mutual labels: ansible, playbook
Debops
DebOps - Your Debian-based data center in a box
Stars: ✭ 734 (+573.39%)
Mutual labels: ansible, playbook
Ansible Collection Gns3
Ansible Collection for GNS3 Server REST API using gns3fy
Stars: ✭ 19 (-82.57%)
Mutual labels: ansible, playbook
Kubeadm Playbook
Fully fledged (HA) Kubernetes Cluster using official kubeadm, ansible and helm. Tested on RHEL/CentOS/Ubuntu with support of http_proxy, dashboard installed, ingress controller, heapster - using official helm charts
Stars: ✭ 533 (+388.99%)
Mutual labels: ansible, playbook
Upcloud Ansible
Dynamic inventory and modules for managing servers via UpCloud's API
Stars: ✭ 50 (-54.13%)
Mutual labels: ansible, playbook
Mac Dev Playbook
Mac setup and configuration via Ansible.
Stars: ✭ 4,202 (+3755.05%)
Mutual labels: ansible, playbook
Ansible Letsencrypt
Ansible role for LetsEncrypt
Stars: ✭ 66 (-39.45%)
Mutual labels: ansible, playbook
Openbsd Cookbooks
Setup environment in OpenBSD using Ansible playbook
Stars: ✭ 80 (-26.61%)
Mutual labels: ansible, playbook
windows-hardening (Ansible Role)
Attention: This role has been migrated to our hardening-collection:
Please open any issues and pull requests there!
Requirements
- Ansible 2.3.0
Variables
| Name | Default Value | Description |
|---|---|---|
win_security_PasswordComplexity |
1 |
Flag that indicates whether the operating system MUST require that passwords meet complexity requirements. Default: True |
win_security_LockoutBadCount |
4 |
Number of failed logon attempts after which a user account MUST be locked out. Default: 4 |
win_security_ResetLockoutCount |
15 |
Number of minutes after a failed logon attempt that the account MUST be locked out. Default: 15 minutes |
win_security_LockoutDuration |
15 |
The number of minutes that a locked-out account MUST remain locked out before automatically becoming unlocked. Default: 15 minutes |
win_security_SeRemoteInteractiveLogonRight |
*S-1-5-32-544 |
Determines which users or groups can access the logon screen of a remote computer through a RDP connection. Default: Administrators |
win_security_SeTcbPrivilege |
*S-1-0-0 |
Allows a process to authenticate like a user and thus gain access to the same resources as a user. Default: Nobody |
win_security_SeMachineAccountPrivilege |
*S-1-5-32-544 |
Allows the user to add a computer to a specific domain. Default: Administrators |
win_security_SeTrustedCredManAccessPrivilege |
`` | Access Credential Manager as a trusted caller policy setting is used by Credential Manager during backup and restore. Default: No One |
win_security_SeNetworkLogonRight |
*S-1-0-0 |
Required for an account to log on using the network logon type. Default: Nobody |
Example Playbook
- hosts: localhost
roles:
- dev-sec.windows-hardening
Local Testing
For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.
We create multiple hosts - one linux host where Ansible runs on and the Windows hosts.
Next install test-kitchen:
# Install dependencies
gem install bundler
bundle install
Then you can run the playbook and tests:
# create the ansible and windows hosts
bundle exec kitchen create
# run ansible playbook on windows host
bundle exec kitchen converge default-ansibleserver
# verify windows machines
bundle exec kitchen verify windows
Contributing
License and Author
- Author:: Sebastian Gumprich
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].