Skip to content

Securing a Windows System with Ansible

Introduction:

Ansible is an open-source automation tool that helps system administrators automate various tasks such as configuration management, application deployment, and security hardening. In this tutorial, we will focus on using Ansible to secure a Windows system. We will cover the installation and setup of Ansible, creating a playbook to harden a Windows system, and running the playbook.

Prerequisites:

  • A Windows system to be secured.
  • A Linux control machine with Ansible installed (Ansible control node).

Step 1: Install and Set Up Ansible on the Control Machine

1.1 Install Ansible

To install Ansible on your control machine, follow the official documentation: https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html

After installing Ansible, you will need the pywinrm package to communicate with Windows systems. Install it using the following command:

pip install winrm

Step 2: Configure Ansible to Connect to the Windows System

2.1 Set up WinRM (Windows Remote Management) on the Windows system

Enable and configure WinRM by running the following PowerShell command as an administrator:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://github.com/ansible/ansible/raw/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))

2.2 Add the Windows system to the Ansible inventory

On the control machine, create an inventory file called "windows.ini" with the following contents:

[windows]
your_windows_system ansible_host=your_windows_ip ansible_user=your_windows_user ansible_password=your_windows_password ansible_connection=winrm ansible_winrm_server_cert_validation=ignore

Replace "your_windows_system", "your_windows_ip", "your_windows_user", and "your_windows_password" with the appropriate values.

Step 3: Create a Playbook to Secure the Windows System

We have selected a few of the most common points of hardening to include here, In future we will provide a link to a more indepth article on more points of hardening.

Create a new file called "secure_windows.yml" and add the following content:

---
- name: Secure Windows System
  hosts: windows
  gather_facts: yes
  tasks:
    - name: Install security updates
      win_updates:
        category_names:
          - SecurityUpdates
          - CriticalUpdates
        state: installed
      register: update_result

    - name: Display installed updates
      debug:
        var: update_result

    - name: Configure password policy
      win_security_policy:
        category: System Access
        key: MinimumPasswordLength
        value: 12

    - name: Configure account lockout policy
      win_security_policy:
        category: Account Lockout Policy
        key: LockoutBadCount
        value: 5

    - name: Enable Windows Defender
      win_feature:
        name: Windows-Defender
        state: present

    - name: Ensure Windows Firewall is running
      win_service:
        name: MpsSvc
        state: started
        start_mode: auto

This playbook will:

  • Install security and critical updates.
  • Configure a password policy with a minimum length of 12 characters.
  • Set the account lockout threshold to 5 failed attempts.
  • Enable Windows Defender.
  • Ensure the Windows Firewall is running and set to start automatically.

Step 4: Run the Playbook

To run the playbook, execute the following command on the control machine:

ansible-playbook -i windows.ini secure_windows