From 1b939567f5d468e623369d448ec63d39e585de36 Mon Sep 17 00:00:00 2001 From: Anton Markelov Date: Wed, 25 Oct 2017 16:53:54 +1000 Subject: [PATCH 1/3] Admins should be allowed to login via winrm --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 61fdeca..5636e68 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,4 +15,4 @@ win_security_SeRemoteInteractiveLogonRight: '*S-1-5-32-544' win_security_SeTcbPrivilege: '*S-1-0-0' win_security_SeMachineAccountPrivilege: '*S-1-5-32-544' win_security_SeTrustedCredManAccessPrivilege: '*S-1-0-0' -win_security_SeNetworkLogonRight: '*S-1-0-0' +win_security_SeNetworkLogonRight: '*S-1-5-32-544' From f57601c781f6b899579306b0f7cf717b00fc6326 Mon Sep 17 00:00:00 2001 From: Anton Markelov Date: Mon, 13 Nov 2017 14:49:40 +1000 Subject: [PATCH 2/3] [EANSIBLE0016] Tasks that run when changed should likely be handlers --- handlers/main.yml | 2 ++ tasks/security_policy.yml | 6 ++---- 2 files changed, 4 insertions(+), 4 deletions(-) create mode 100644 handlers/main.yml diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..a777f40 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,2 @@ +- name: load gpo configuration locally + raw: "secedit /configure /cfg {{win_security_policy_template_location}}\\ansible_windows_hardening_security_policy.inf /db {{ win_security_policy_database_location }}\\ansible_windows_hardening.db /quiet" \ No newline at end of file diff --git a/tasks/security_policy.yml b/tasks/security_policy.yml index f1a497e..a10d6f7 100644 --- a/tasks/security_policy.yml +++ b/tasks/security_policy.yml @@ -12,8 +12,6 @@ win_template: src: security_policy.inf.yml dest: "{{win_security_policy_template_location}}\\ansible_windows_hardening_security_policy.inf" - register: security_policy + notify: load gpo configuration locally -- name: load gpo configuration locally - raw: "secedit /configure /cfg {{win_security_policy_template_location}}\\ansible_windows_hardening_security_policy.inf /db {{ win_security_policy_database_location }}\\ansible_windows_hardening.db /quiet" - when: security_policy.changed +- meta: flush_handlers \ No newline at end of file From 81dff2ab0a9c5bfa2fd63a6832b99f9aae1e593c Mon Sep 17 00:00:00 2001 From: Anton Markelov Date: Wed, 21 Feb 2018 10:35:48 +1000 Subject: [PATCH 3/3] ADMIN-889 update to ansible 2.4 --- tasks/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index ce13819..1ef7ebe 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,30 +1,30 @@ --- -- include: access.yml +- import_tasks: access.yml tags: access -- include: account.yml +- import_tasks: account.yml tags: account -- include: audit.yml +- import_tasks: audit.yml tags: audit -- include: ie.yml +- import_tasks: ie.yml tags: ie -- include: misc.yml +- import_tasks: misc.yml tags: misc -- include: password_policy.yml +- import_tasks: password_policy.yml tags: password_policy -- include: powershell.yml +- import_tasks: powershell.yml tags: powershell -- include: rdp.yml +- import_tasks: rdp.yml tags: rdp -- include: security_policy.yml +- import_tasks: security_policy.yml tags: security_policy -- include: user_rights.yml +- import_tasks: user_rights.yml tags: user_rights