Skip to content

Securing a Windows System with Ansible


Ansible is an open-source automation tool that helps system administrators automate various tasks such as configuration management, application deployment, and security hardening. In this tutorial, we will focus on using Ansible to secure a Windows system. We will cover the installation and setup of Ansible, creating a playbook to harden a Windows system, and running the playbook.


  • A Windows system to be secured.
  • A Linux control machine with Ansible installed (Ansible control node).

Step 1: Install and Set Up Ansible on the Control Machine

1.1 Install Ansible

To install Ansible on your control machine, follow the official documentation:

After installing Ansible, you will need the pywinrm package to communicate with Windows systems. Install it using the following command:

pip install winrm

Step 2: Configure Ansible to Connect to the Windows System

2.1 Set up WinRM (Windows Remote Management) on the Windows system

Enable and configure WinRM by running the following PowerShell command as an administrator:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(''))

2.2 Add the Windows system to the Ansible inventory

On the control machine, create an inventory file called "windows.ini" with the following contents:

your_windows_system ansible_host=your_windows_ip ansible_user=your_windows_user ansible_password=your_windows_password ansible_connection=winrm ansible_winrm_server_cert_validation=ignore

Replace "your_windows_system", "your_windows_ip", "your_windows_user", and "your_windows_password" with the appropriate values.

Step 3: Create a Playbook to Secure the Windows System

We have selected a few of the most common points of hardening to include here, In future we will provide a link to a more indepth article on more points of hardening.

Create a new file called "secure_windows.yml" and add the following content:

- name: Secure Windows System
  hosts: windows
  gather_facts: yes
    - name: Install security updates
          - SecurityUpdates
          - CriticalUpdates
        state: installed
      register: update_result

    - name: Display installed updates
        var: update_result

    - name: Configure password policy
        category: System Access
        key: MinimumPasswordLength
        value: 12

    - name: Configure account lockout policy
        category: Account Lockout Policy
        key: LockoutBadCount
        value: 5

    - name: Enable Windows Defender
        name: Windows-Defender
        state: present

    - name: Ensure Windows Firewall is running
        name: MpsSvc
        state: started
        start_mode: auto

This playbook will:

  • Install security and critical updates.
  • Configure a password policy with a minimum length of 12 characters.
  • Set the account lockout threshold to 5 failed attempts.
  • Enable Windows Defender.
  • Ensure the Windows Firewall is running and set to start automatically.

Step 4: Run the Playbook

To run the playbook, execute the following command on the control machine:

ansible-playbook -i windows.ini secure_windows