From 031e28259fc659914738e2d0dcb2b9691a724083 Mon Sep 17 00:00:00 2001
From: Stephen Williams <stephenw@mindpointgroup.com>
Date: Mon, 21 Aug 2023 16:09:45 -0400
Subject: [PATCH 1/2] Fixed Order Of Lockout Tasks

Signed-off-by: Stephen Williams <stephenw@mindpointgroup.com>
---
 tasks/main.yml                         |  6 ++++
 tasks/{audit_prelim.yml => prelim.yml} | 20 ++++++++++--
 tasks/run_audit.yml                    |  3 --
 tasks/section01.yml                    | 45 ++++++++++++++------------
 tasks/section18.yml                    |  2 --
 vars/main.yml                          |  5 +++
 6 files changed, 54 insertions(+), 27 deletions(-)
 rename tasks/{audit_prelim.yml => prelim.yml} (51%)

diff --git a/tasks/main.yml b/tasks/main.yml
index 4287df7..f338cda 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -31,6 +31,12 @@
   tags:
       - always
 
+- name: Include the preliminary tasks
+  ansible.builtin.include_tasks: prelim.yml
+  tags:
+      - always
+      - prelim_tasks
+
 - name: Setup for Audit
   ansible.builtin.import_tasks: setup_audit.yml
   when: setup_audit
diff --git a/tasks/audit_prelim.yml b/tasks/prelim.yml
similarity index 51%
rename from tasks/audit_prelim.yml
rename to tasks/prelim.yml
index b9d9164..8917e33 100644
--- a/tasks/audit_prelim.yml
+++ b/tasks/prelim.yml
@@ -1,12 +1,12 @@
 ---
 
-- name: Set system facts based on gather facts module
+- name: Set System Facts Based On Gather Facts Module
   block:
       - name: Set fact is system is standalone
         ansible.builtin.set_fact:
             win2016cis_is_standalone: true
         when:
-            - ansible_windows_domain_role ==  'Stand-alone server'
+            - ansible_windows_domain_role == 'Stand-alone server'
 
       - name: Set fact if domain controller role
         ansible.builtin.set_fact:
@@ -19,3 +19,19 @@
             win2016cis_is_domain_member: true
         when:
             - ansible_windows_domain_role == 'Member server'
+  tags:
+      - always
+
+- name: Get Windows installation type
+  ansible.windows.win_reg_stat:
+      path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
+      name: InstallationType
+  register: get_windows_installation_type
+  tags:
+      - always
+
+- name: Set Windows installation type
+  ansible.builtin.set_fact:
+      windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
+  tags:
+      - always
diff --git a/tasks/run_audit.yml b/tasks/run_audit.yml
index dd649ed..7a74faa 100644
--- a/tasks/run_audit.yml
+++ b/tasks/run_audit.yml
@@ -1,7 +1,4 @@
 ---
-- name: Include the preliminary tasks
-  ansible.builtin.include_tasks: audit_prelim.yml
-
 # Copied pre and post to capture output files.
 - name: copy the template used by ansible for consistent checks
   ansible.windows.win_template:
diff --git a/tasks/section01.yml b/tasks/section01.yml
index 5c51645..62f0689 100644
--- a/tasks/section01.yml
+++ b/tasks/section01.yml
@@ -120,55 +120,60 @@
       section: System Access
       key: LockoutBadCount
       value: "{{ lockoutbadcount }}"
-  when: win16cis_rule_1_2_2
+  when:
+      - win16cis_rule_1_2_2
+      - not win16cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver
       - rule_1.2.2
       - patch
 
-- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
+- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
   block:
-      - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
         ansible.builtin.assert:
-            that: lockoutduration | int is version('15', '<=')
-            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}"
+            that: resetlockoutcount | int is version('15', '>=')
+            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}"
         register: result
         changed_when: false
         ignore_errors: true
 
-      - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
         community.windows.win_security_policy:
             section: System Access
-            key: LockoutDuration
-            value: "{{ lockoutduration }}"
+            key: ResetLockoutCount
+            value: "{{ resetlockoutcount }}"
   when:
-      - win16cis_rule_1_2_1
-      # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
+      - win16cis_rule_1_2_3
+      - not win16cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver
-      - rule_1.2.1
+      - rule_1.2.3
       - patch
 
-- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
+# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
+- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
   block:
-      - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
         ansible.builtin.assert:
-            that: resetlockoutcount | int is version('15', '>=')
-            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}"
+            that: lockoutduration | int is version('15', '<=')
+            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}"
         register: result
         changed_when: false
         ignore_errors: true
 
-      - name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
         community.windows.win_security_policy:
             section: System Access
-            key: ResetLockoutCount
-            value: "{{ resetlockoutcount }}"
-  when: win16cis_rule_1_2_3
+            key: LockoutDuration
+            value: "{{ lockoutduration }}"
+  when:
+      - win16cis_rule_1_2_1
+      - not win16cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver
-      - rule_1.2.3
+      - rule_1.2.1
       - patch
diff --git a/tasks/section18.yml b/tasks/section18.yml
index e1af77f..83d92d7 100644
--- a/tasks/section18.yml
+++ b/tasks/section18.yml
@@ -105,7 +105,6 @@
       data: 4
       type: dword
   when:
-      - is_implemented
       - win16cis_rule_18_2_4
       - ansible_windows_domain_role == "Member Server"
   tags:
@@ -2512,7 +2511,6 @@
       type: dword
   when:
       - win16cis_rule_18_9_98_1
-      - is_implemented
       - not win_skip_for_test
   tags:
       - level2-domaincontroller
diff --git a/vars/main.yml b/vars/main.yml
index 24c6f76..0d4424f 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -5,3 +5,8 @@
 # This sets the variable that is created for the banner.
 lockdown_banner: "{{lookup('file', './templates/banner.txt')}}"
 
+# These are default values that will be changed when the prelim
+# runs and finds the correct setting.
+win2016cis_is_standalone: false
+win2016cis_is_domain_controller: false
+win2016cis_is_domain_member: false

From 16278857e3ed245c18074e5aae94dd8cbc3eaa1b Mon Sep 17 00:00:00 2001
From: Stephen Williams <stephenw@mindpointgroup.com>
Date: Mon, 21 Aug 2023 16:20:43 -0400
Subject: [PATCH 2/2] Fixed Order Of Lockout Tasks

Signed-off-by: Stephen Williams <stephenw@mindpointgroup.com>
---
 tasks/section01.yml | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/tasks/section01.yml b/tasks/section01.yml
index 62f0689..0edf924 100644
--- a/tasks/section01.yml
+++ b/tasks/section01.yml
@@ -120,9 +120,7 @@
       section: System Access
       key: LockoutBadCount
       value: "{{ lockoutbadcount }}"
-  when:
-      - win16cis_rule_1_2_2
-      - not win16cis_cloud_based_system
+  when: win16cis_rule_1_2_2
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -144,16 +142,13 @@
             section: System Access
             key: ResetLockoutCount
             value: "{{ resetlockoutcount }}"
-  when:
-      - win16cis_rule_1_2_3
-      - not win16cis_cloud_based_system
+  when: win16cis_rule_1_2_3
   tags:
       - level1-domaincontroller
       - level1-memberserver
       - rule_1.2.3
       - patch
 
-# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
 - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
   block:
       - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
@@ -169,9 +164,7 @@
             section: System Access
             key: LockoutDuration
             value: "{{ lockoutduration }}"
-  when:
-      - win16cis_rule_1_2_1
-      - not win16cis_cloud_based_system
+  when: win16cis_rule_1_2_1
   tags:
       - level1-domaincontroller
       - level1-memberserver