When the default value (but not the set value) is the recommended value

[AdrianVollmer]

First of all, I think hardening kitty is an important and valuable project. I recommend it all the time.

However, I just noticed something which is unclear to me.

Sometimes, the default value of a setting is the recommended value. For example for hardened UNC paths. However, the default value applies also if the setting is not set at all, that's why it is the default.

Consider this setting:

HardeningKitty/lists/finding_list_msft_security_baseline_windows_11_24h2_machine.csv

Line 143 in 92b8ef7

10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium

By default, it's NULL (i.e. the registry key doesn't exist), which is equivalent to RequireMutualAuthentication=1, RequireIntegrity=1.

However, hardening kitty is reporting this as fail. In my opinion, the acceptable values for this setting are NULL (i.e. not set) and RequireMutualAuthentication=1, RequireIntegrity=1.

Unless I'm overlooking something, in which case please correct me if I'm wrong.

If I'm right, this brings up the question which other settings are wrongly reported as fail.

[0x6d69636b]

The hardening policy sets the value to ensure that the setting is correct and cannot be altered. If the value is changed, it will be overwritten the next time the policy is applied. However, if someone assumes that the default value applies because they did not set the setting, but it was altered by someone else, the change will not be overwritten.

The CIS benchmark or the Microsoft Security baseline sets a requirement for the value to be set, so HardeningKitty reports it as failed.