-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CIS rule 5.3 disables incorrect service #12
Labels
bug
Something isn't working
Comments
Note; I submitted this same issue to Windows 10 as well: link, because the same issue is occuring on both operating systems. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the Issue
CIS rule 5.3 is intended to disable the
computer browser (browser)
service, however it incorrectly disables thebrowser (bowser)
service. Thebrowser (bowser)
service is a dependency for theworkstation
service, which causes all sorts of issues including causing the workstation to be unable to connect to SMB shares.This appears to be because the
ansible.windows.win_service
andwin_service_info
modules will use thename
parameter to mean eitherdisplay name
orinternal name
. This can be seen in the documentation for thewin_service_info
module: linkThis causes an issue with the
computer browser (browser)
andbrowser (bowser)
services because the internal name ofcomputer browser (browser)
isbrowser
, which matches the display name ofbrowser (bowser)
,browser
.This 'name collision' causes the
browser (bowser)
service to be incorrectly disabled ifcomputer browser (browser)
is not installed (which is provided by SAMBA1.0/CIFS file support). This is the case by default for Windows 10 1709 and newer and all versions of Windows 11.Expected Behavior
If
computer browser
is installed that service is disabled. Otherwise nothing happens.Actual Behavior
If
computer browser
is not installed thebrowser
service is getting disabled.See below for emperical evidence that Ansible will accept both display name and internal name for a service:
This is the Ansible code I used to debug this issue:
Which produced this output:
As you can see, despite using 2 different service names, it retrieved info for the same service twice.
Control(s) Affected
5.3 Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'
Environment (please complete the following information):
Additional Notes
It's worth noting I haven't tried running this role against a workstation with
computer browser
installed. So I'm not sure what the behavior of this control is against a workstation that has both thecomputer browser
andbrowser
service installed.However, this combination is unlikely given that Windows 11 doesn't include
computer browser
by default.It's also worth noting that this will likely solve the error message noted in the comments for 5.3. The error message states that the
workstation
service isn't running, and theworkstation
service depends on thebrowser
service.Possible Solution
Change the control to use the display name of
computer browser
. This avoids the 'name collision' between thecomputer browser
andbrowser
services.It also might be worth submitting something upstream to the Ansible Windows maintainers to make the
win_service*
modules'name
parameter use either only the display name or the internal name, not either.The text was updated successfully, but these errors were encountered: