adding discrimination between DC and MS

[schnipschnap]

No description provided.

[mm-weber]

Great improvement @schnipschnap !

My suggestion would be to re-write this as a variants: query:

  - uid: mondoo-windows-security-network-access-named-pipes-that-can-be-accessed-anonymously-is-set-to-none
    title: 'Ensure ''Network access: Named Pipes that can be accessed anonymously'' is set to ''None'''
    impact: 100
    variants:
      - uid: mondoo-windows-security-network-access-named-pipes-that-can-be-accessed-anonymously-is-set-to-none-dc
      - uid: mondoo-windows-security-network-access-named-pipes-that-can-be-accessed-anonymously-is-set-to-none-server
    docs:
      desc: |-
        This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.

        The recommended state for this setting is: `<blank>` (i.e. None).
      remediation:
        - id: default
          desc: |-
            #### Group Policy Approach

            To establish the recommended configuration via GP, set the following UI path to `<blank>` (i.e. None):

            ```
            Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously
            ```

            **Impact:**

            This configuration will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function.
        - id: powershell
          desc: |
            #### PowerShell Approach

            To establish the recommended configuration via PowerShell, run the following commands:

            ```powershell
            $RegistryPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters'
            $Name         = 'NullSessionPipes'
            $Value        = ''

            # Create the key if it does not exist
            If (-NOT (Test-Path $RegistryPath)) {
                New-Item -Path $RegistryPath -Force | Out-Null
            }

            # Now set the value
            New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType MultiString -Force
            ```
  - uid: mondoo-windows-security-network-access-named-pipes-that-can-be-accessed-anonymously-is-set-to-none-dc
    filters: |
      windows.computerInfo.OsProductType == 2
    mql: |
        registrykey.property( path: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', name: 'NullSessionPipes' ).value.downcase == /lsarpc|netlogon|samr/
  - uid: mondoo-windows-security-network-access-named-pipes-that-can-be-accessed-anonymously-is-set-to-none-server
    filters: |
      windows.computerInfo.OsProductType != 2
    mql: |
        registrykey.property( path: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', name: 'NullSessionPipes' ).value == ""

[schnipschnap]

@mm-weber I thought about that but it would be inconsistent with other checks in the same file. I would suggest leaving this for now and then upgrading the whole policy later. What do you think?

[mm-weber]

Hey @schnipschnap,

we should try to establish new patterns where we can.
It's not an issue if the whole policy doesn't consist of all variants:, yet.
Bit by bit :)

[schnipschnap]

@mm-weber Variants changes applied. Thank you for the assistance!

[mm-weber]

Hey @schnipschnap , just as we discussed yesterday, for now we should keep the -uid in line with the current policy.
Will look for a solution on how to sync variants: better in the future.

[schnipschnap]

@mm-weber Every query needs to have a title github complains?

[mm-weber]

LGTM