forked from ansible/ansible-lockdown
-
Notifications
You must be signed in to change notification settings - Fork 0
/
meltdown-spectre-windows.yml
46 lines (39 loc) · 1.38 KB
/
meltdown-spectre-windows.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# https://meltdownattack.com
# https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
- name: Patch Windows systems against Meltdown and Spectre
hosts: "{{ target_hosts | default('all') }}"
vars:
reboot_after_update: no
registry_keys:
- path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
name: FeatureSettingsOverride
data: 0
type: dword
- path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
name: FeatureSettingsOverrideMask
data: 3
type: dword
# https://support.microsoft.com/en-us/help/4072699
- path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
name: cadca5fe-87d3-4b96-b7fb-a231484277cc
type: dword
data: '0x00000000'
tasks:
- name: Install security updates
win_updates:
category_names:
- SecurityUpdates
notify: reboot windows system
- name: Enable kernel protections
win_regedit:
path: "{{ item.path }}"
name: "{{ item.name }}"
data: "{{ item.data }}"
type: "{{ item.type }}"
with_items: "{{ registry_keys }}"
handlers:
- name: reboot windows system
win_reboot:
shutdown_timeout: 3600
reboot_timeout: 3600
when: reboot_after_update