Sécurité et hardening¶

security_enabled: true
security_rdp_port: 3389
security_winrm_port: 5986
security_password_min_length: 12
security_lockout_threshold: 5
security_lockout_duration: 30
security_powershell_execution_policy: "RemoteSigned"
security_disable_services:
  - XblAuthManager
  - XblGameSave
  - XboxGipSvc
  - XboxNetApiSvc
  - DiagTrack
  - dmwappushservice
  - RetailDemo
  - WSearch

---
- name: Activer le firewall sur tous les profils
  community.windows.win_firewall:
    profiles:
      - Domain
      - Private
      - Public
    state: enabled

- name: Autoriser RDP
  community.windows.win_firewall_rule:
    name: "VDI-RDP"
    localport: "{{ security_rdp_port }}"
    protocol: tcp
    direction: in
    action: allow
    enabled: true

- name: Autoriser WinRM HTTPS (build only)
  community.windows.win_firewall_rule:
    name: "VDI-WinRM-HTTPS"
    localport: "{{ security_winrm_port }}"
    protocol: tcp
    direction: in
    action: allow
    enabled: true

- name: Bloquer les connexions sortantes non-essentielles par defaut
  community.windows.win_firewall:
    profiles:
      - Public
    default_outbound_action: block
    state: enabled

- name: Autoriser les sorties DNS, HTTP, HTTPS
  community.windows.win_firewall_rule:
    name: "VDI-Outbound-{{ item.name }}"
    localport: any
    remoteport: "{{ item.port }}"
    protocol: tcp
    direction: out
    action: allow
    enabled: true
  loop:
    - { name: "DNS", port: "53" }
    - { name: "HTTP", port: "80" }
    - { name: "HTTPS", port: "443" }

---
- name: Installer toutes les mises a jour critiques
  ansible.windows.win_updates:
    category_names:
      - CriticalUpdates
      - SecurityUpdates
    state: installed
    reboot: true
    reboot_timeout: 1200

- name: Configurer Windows Update en mode automatique
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    name: AUOptions
    data: 4
    type: dword

---
- name: Activer la protection en temps reel
  ansible.windows.win_shell: Set-MpPreference -DisableRealtimeMonitoring $false

- name: Activer la protection cloud
  ansible.windows.win_shell: Set-MpPreference -MAPSReporting Advanced

- name: Ajouter les exclusions pour les repertoires de dev
  ansible.windows.win_shell: |
    Add-MpPreference -ExclusionPath "C:\containerd"
    Add-MpPreference -ExclusionPath "C:\ProgramData\chocolatey"
  when: containers_enabled | default(false) or chocolatey_enabled | default(false)

- name: Lancer un scan rapide
  ansible.windows.win_shell: Start-MpScan -ScanType QuickScan

---
- name: Politique de mot de passe — longueur minimale
  community.windows.win_security_policy:
    section: System Access
    key: MinimumPasswordLength
    value: "{{ security_password_min_length }}"

- name: Politique de mot de passe — complexite requise
  community.windows.win_security_policy:
    section: System Access
    key: PasswordComplexity
    value: 1

- name: Verrouillage de compte — seuil
  community.windows.win_security_policy:
    section: System Access
    key: LockoutBadCount
    value: "{{ security_lockout_threshold }}"

- name: Verrouillage de compte — duree (minutes)
  community.windows.win_security_policy:
    section: System Access
    key: LockoutDuration
    value: "{{ security_lockout_duration }}"

- name: Audit — succes et echecs de connexion
  community.windows.win_audit_policy_system:
    subcategory: Logon
    audit_type: success, failure

---
- name: Configurer la politique d'execution
  ansible.windows.win_shell: "Set-ExecutionPolicy {{ security_powershell_execution_policy }} -Force -Scope LocalMachine"

- name: Desactiver PowerShell v2
  ansible.windows.win_optional_feature:
    name: MicrosoftWindowsPowerShellV2Root
    state: absent

- name: Activer la journalisation PowerShell
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
    name: EnableScriptBlockLogging
    data: 1
    type: dword

---
- name: Desactiver les services inutiles
  ansible.windows.win_service:
    name: "{{ item }}"
    start_mode: disabled
    state: stopped
  loop: "{{ security_disable_services }}"
  ignore_errors: true

---
- name: Configurer le firewall
  ansible.builtin.include_tasks: firewall.yml

- name: Installer les mises a jour
  ansible.builtin.include_tasks: updates.yml

- name: Configurer Windows Defender
  ansible.builtin.include_tasks: defender.yml

- name: Appliquer les GPO locales
  ansible.builtin.include_tasks: gpo.yml

- name: Restreindre PowerShell
  ansible.builtin.include_tasks: powershell.yml

- name: Desactiver les services inutiles
  ansible.builtin.include_tasks: services.yml

- name: Validation du role
  ansible.builtin.include_tasks: validate.yml
  tags: [validate]

---
# --- Niveau 1 : technique ---
- name: "Assert : Firewall actif"
  ansible.windows.win_shell: "(Get-NetFirewallProfile).Enabled"
  register: fw_status
  failed_when: "'False' in fw_status.stdout"

- name: "Assert : Windows Defender actif"
  ansible.windows.win_shell: "(Get-MpComputerStatus).RealTimeProtectionEnabled"
  register: defender_status
  failed_when: "'True' not in defender_status.stdout"

- name: "Assert : PowerShell v2 desactive"
  ansible.windows.win_optional_feature:
    name: MicrosoftWindowsPowerShellV2Root
    state: absent
  check_mode: true
  register: psv2_check
  failed_when: psv2_check.changed

# --- Niveau 2 : cas d'usage ---
- name: "Assert : Politique de mot de passe appliquee"
  ansible.windows.win_shell: "net accounts | Select-String 'Minimum password length'"
  register: pwd_policy
  failed_when: "{{ security_password_min_length }} > (pwd_policy.stdout | regex_search('\\d+') | int)"

- name: "Assert : Services inutiles arretes"
  ansible.windows.win_service:
    name: "{{ item }}"
  register: svc_status
  failed_when: svc_status.state == "running"
  loop: "{{ security_disable_services }}"
  ignore_errors: true