-
Notifications
You must be signed in to change notification settings - Fork 316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip checks for DC if server is not domain controller #66
Comments
I think the easiest way is to split the CIS lists into member server and DC, similar to the Microsoft Security Baselines. I'll look into it |
also related to the above and why i think there should be some flags to turn on or off checks is because there 2 other checks that only apply if servers are running IIS or HyperV and again the results can show the setting as being wrong but is not actually. 2.2.18.2 and 2.2.32. |
Just a suggestion to have fewer files to maintain: add a column "applies to" (like from the MS Security Baseline Windows 10) That column then could be compared to |
@lordfiSh's suggestion would be a plausible approach. I don't want to introduce too much complexity, besides everyone has the possibility to create their own lists and remove findings or define recommendations according to their own needs. I am still considering a solution |
HI.
Would it be possible to add a check for the type of server and if not domain controller to skip the checks that only apply to the DCs?
Your tool is great but it yields some false positives if the Server is a Member and not DC. Example below:
[*] Domain role: MemberServer
[$] ID 2.3.5.1, Domain controller: Allow server operators to schedule tasks (DC), Result=, Recommended=0, Severity=Medium
The text was updated successfully, but these errors were encountered: