2.3.10.9 - Configure Network access Remotely accessible registry paths and sub-paths always includes CertSvc and WINS

[Crombell95]

Describe the Issue
2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths always includes the CertSvc and WINS paths, but these paths should only be included when the corresponding roles are present on the server.

The recommended state for this setting is:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

The recommended state for servers that hold the Active Directory Certificate ServicesRole with Certification AuthorityRole Service includes the above list and:
System\CurrentControlSet\Services\CertSvc

The recommended state for servers that have the WINS ServerFeature installed includes the above list and:
System\CurrentControlSet\Services\WINS

Expected Behavior
The CertSvc and WINS path are only included in the remotely accessible registry paths and sub-paths when the corresponding features are installed

Actual Behavior
The CertSvc and WINS path are always included

Control(s) Affected
2.3.10.9

Possible Solution

- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
  block:
      - name: 2.3.10.9 | Set value for Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.builtin.set_fact:
            remote_registry_paths: [
                'System\CurrentControlSet\Control\Print\Printers',
                'System\CurrentControlSet\Services\Eventlog',
                'Software\Microsoft\OLAP Server',
                'Software\Microsoft\Windows NT\CurrentVersion\Print',
                'Software\Microsoft\Windows NT\CurrentVersion\Windows',
                'System\CurrentControlSet\Control\ContentIndex',
                'System\CurrentControlSet\Control\Terminal Server',
                'System\CurrentControlSet\Control\Terminal Server\UserConfig',
                'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
                'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
                'System\CurrentControlSet\Services\SysmonLog'
            ]

      - name: 2.3.10.9 | Check if AD Certificate Services feature is installed
        community.windows.win_feature_info:
            name: AD-Certificate
        register: adcs_feature

      - name: 2.3.10.9 | Add CertSvc to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}"
        when: adcs_feature.features[0].installed

      - name: 2.3.10.9 | Check if WINS feature is installed
        community.windows.win_feature_info:
            name: WINS
        register: wins_feature

      - name: 2.3.10.9 | Add WINS to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}"
        when: wins_feature.features[0].installed

      - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.windows.win_regedit:
            path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths
            name: "Machine"
            data: '{{ remote_registry_paths }}'
            type: multistring
  when: win16cis_rule_2_3_10_9
  tags:
      - level1-domaincontroller
      - level1-memberserver
      - rule_2.3.10.9
      - patch