SecurityPolicyDsc

A wrapper around secedit.exe to allow you to configure local security policies. This resource requires a Windows OS with secedit.exe.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

How to Contribute

If you would like to contribute to this repository, please read the DSC Resource Kit contributing guidelines.

Resources

• UserRightsAssignment: Configures user rights assignments in local security policies.
• SecurityTemplate: Configures user rights assignments that are defined in an INF file.
• AccountPolicy: Configures the policies under the Account Policy node in local security policies.
• SecurityOption: Configures the policies under the Security Options node in local security policies.

UserRightsAssignment

• Policy: The policy name of the user rights assignment to be configured.
• Identity: The identity of the user or group to be added or removed from the user rights assignment.
• Force: Specifies to explicitly assign only the identities defined.

SecurityTemplate

• Path: Path to an INF file that defines the desired security policies.

AccountPolicy

• Name: A unique name of the AccountPolicy resource instance. This is not used during configuration but needed to ensure the resource configuration is unique.

For explanation of below settings, please consult Account Policies Reference.

• [String] Enforce_password_history (Write) : Please see the link above for a full description. { Passwords Remembered }

• [String] Maximum_Password_Age (Write) : Please see the link above for a full description. { days }

• [String] Minimum_Password_Age (Write) : Please see the link above for a full description. { days }

• [String] Minimum_Password_Length (Write) : Please see the link above for a full description. { Character Count }

• [String] Password_must_meet_complexity_requirements (Write) : Please see the link above for a full description. { Disabled | Enabled }

• [String] Store_passwords_using_reversible_encryption (Write) : Please see the link above for a full description. { Disabled | Enabled }

• [String] Account_lockout_duration (Write) : Please see the link above for a full description. { minutes }

• [String] Account_lockout_threshold (Write) : Please see the link above for a full description. { invalid logon attempts}

• [String] Reset_account_lockout_counter_after (Write) : Please see the link above for a full description. { minutes }

(Note: The below settings pertain to Kerberos policies and must be set by a member in the domain admins group.

• [String] Enforce_user_logon_restrictions (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Maximum_lifetime_for_service_ticket (Write) : Please see the link above for a full description. { minutes }
• [String] Maximum_lifetime_for_user_ticket_renewal (Write) : Please see the link above for a full description. { days }
• [String] Maximum_lifetime_for_user_ticket (Write) : Please see the link above for a full description. { hours }
• [String] Maximum_tolerance_for_computer_clock_synchronization (Write) : Please see the link above for a full description. { minutes }

SecurityOption

• Name: Name of security option configuration. This is not used during the configuration process but needed to ensure the resource configuration instance is unique.

For explanation of below settings, please consult Security Options Reference.

• [String] Accounts_Administrator_account_status (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Accounts_Block_Microsoft_accounts (Write) : Please see the link above for a full description. { This policy is disabled | Users cant add Microsoft accounts | Users cant add or log on with Microsoft accounts }
• [String] Accounts_Guest_account_status (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Accounts_Rename_administrator_account (Write) : Please see the link above for a full description. { String }
• [String] Accounts_Rename_guest_account (Write) : Please see the link above for a full description. { String }
• [String] Audit_Audit_the_access_of_global_system_objects (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Audit_Audit_the_use_of_Backup_and_Restore_privilege (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Audit_Shut_down_system_immediately_if_unable_to_log_security_audits (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] DCOM_Machine_Access_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax (Write) : Please see the link above for a full description. { String }
• [String] DCOM_Machine_Launch_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax (Write) : Please see the link above for a full description. { String }
• [String] Devices_Allow_undock_without_having_to_log_on (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Devices_Allowed_to_format_and_eject_removable_media (Write) : Please see the link above for a full description. { Administrators and Interactive Users | Administrators | Administrators and Power Users }
• [String] Devices_Prevent_users_from_installing_printer_drivers (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Devices_Restrict_CD_ROM_access_to_locally_logged_on_user_only (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Devices_Restrict_floppy_access_to_locally_logged_on_user_only (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Domain_controller_Allow_server_operators_to_schedule_tasks (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Domain_controller_LDAP_server_signing_requirements (Write) : Please see the link above for a full description. { None | Require Signing }
• [String] Domain_controller_Refuse_machine_account_password_changes (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Domain_member_Digitally_encrypt_secure_channel_data_when_possible (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Domain_member_Digitally_sign_secure_channel_data_when_possible (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Domain_member_Disable_machine_account_password_changes (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Domain_member_Maximum_machine_account_password_age (Write) : Please see the link above for a full description. { String }
• [String] Domain_member_Require_strong_Windows_2000_or_later_session_key (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Interactive_logon_Display_user_information_when_the_session_is_locked (Write) : Please see the link above for a full description. { User displayname, domain and user names | Do not display user information | User display name only }
• [String] Interactive_logon_Do_not_display_last_user_name (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Interactive_logon_Do_not_require_CTRL_ALT_DEL (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Interactive_logon_Machine_account_lockout_threshold (Write) : Please see the link above for a full description. { String }
• [String] Interactive_logon_Machine_inactivity_limit (Write) : Please see the link above for a full description. { String }
• [String] Interactive_logon_Message_text_for_users_attempting_to_log_on (Write) : Please see the link above for a full description. { String }
• [String] Interactive_logon_Message_title_for_users_attempting_to_log_on (Write) : Please see the link above for a full description. { String }
• [String] Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available (Write) : Please see the link above for a full description. { String }
• [String] Interactive_logon_Prompt_user_to_change_password_before_expiration (Write) : Please see the link above for a full description. { String }
• [String] Interactive_logon_Require_Domain_Controller_authentication_to_unlock_workstation (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Interactive_logon_Require_smart_card (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Interactive_logon_Smart_card_removal_behavior (Write) : Please see the link above for a full description. { Lock workstation | Force logoff | Disconnect if a remote Remote Desktop Services session | No Action }
• [String] Microsoft_network_client_Digitally_sign_communications_always (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Microsoft_network_client_Digitally_sign_communications_if_server_agrees (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session (Write) : Please see the link above for a full description. { String }
• [String] Microsoft_network_server_Attempt_S4U2Self_to_obtain_claim_information (Write) : Please see the link above for a full description. { Default | Disabled | Enabled }
• [String] Microsoft_network_server_Digitally_sign_communications_always (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Microsoft_network_server_Digitally_sign_communications_if_client_agrees (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Microsoft_network_server_Disconnect_clients_when_logon_hours_expire (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Microsoft_network_server_Server_SPN_target_name_validation_level (Write) : Please see the link above for a full description. { Off | Required from client | Accept if provided by the client }
• [String] Network_access_Allow_anonymous_SID_Name_translation (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_access_Let_Everyone_permissions_apply_to_anonymous_users (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_access_Named_Pipes_that_can_be_accessed_anonymously (Write) : Please see the link above for a full description. { String }
• [String] Network_access_Remotely_accessible_registry_paths (Write) : Please see the link above for a full description. { String }
• [String] Network_access_Remotely_accessible_registry_paths_and_subpaths (Write) : Please see the link above for a full description. { String }
• [String] Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String[]] Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM (Write) : Please see the link above for a full description.
• [String] Network_access_Shares_that_can_be_accessed_anonymously (Write) : Please see the link above for a full description. { String }
• [String] Network_access_Sharing_and_security_model_for_local_accounts (Write) : Please see the link above for a full description. { Guest only - Local users authenticate as Guest | Classic - Local users authenticate as themselves }
• [String] Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_security_Allow_LocalSystem_NULL_session_fallback (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_security_Configure_encryption_types_allowed_for_Kerberos (Write) : Please see the link above for a full description. { AES256_HMAC_SHA1 | DES_CBC_MD5 | FUTURE | AES128_HMAC_SHA1 | DES_CBC_CRC | RC4_HMAC_MD5 | FUTURE }
• [String] Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_security_Force_logoff_when_logon_hours_expire (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Network_security_LAN_Manager_authentication_level (Write) : Please see the link above for a full description. { Send NTLMv2 responses only. Refuse LM | Send NTLMv2 responses only. Refuse LM & NTLM | Send LM & NTLM responses | Send LM & NTLM - use NTLMv2 session security if negotiated | Send NTLMv2 responses only | Send NTLM responses only }
• [String] Network_security_LDAP_client_signing_requirements (Write) : Please see the link above for a full description. { Negotiate Signing | Require Signing | None }
• [String] Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients (Write) : Please see the link above for a full description. { Require 128-bit encryption | Require NTLMv2 session security | Both options checked }
• [String] Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers (Write) : Please see the link above for a full description. { Require 128-bit encryption | Require NTLMv2 session security | Both options checked }
• [String] Network_security_Restrict_NTLM_Add_remote_server_exceptions_for_NTLM_authentication (Write) : Please see the link above for a full description. { String }
• [String] Network_security_Restrict_NTLM_Add_server_exceptions_in_this_domain (Write) : Please see the link above for a full description. { String }
• [String] Network_Security_Restrict_NTLM_Audit_Incoming_NTLM_Traffic (Write) : Please see the link above for a full description. { Deny all | Deny for domain accounts | Deny for domain servers | Disable | Deny for domain accounts to domain servers }
• [String] Network_Security_Restrict_NTLM_Audit_NTLM_authentication_in_this_domain (Write) : Please see the link above for a full description. { Deny all | Audit all | Allow all }
• [String] Network_Security_Restrict_NTLM_Incoming_NTLM_Traffic (Write) : Please see the link above for a full description. { Enable auditing for domain accounts | Enable auditing for all accounts | Disabled }
• [String] Network_Security_Restrict_NTLM_NTLM_authentication_in_this_domain (Write) : Please see the link above for a full description. { Enable all | Enable for domain accounts | Enable for domain servers | Disable | Enable for domain accounts to domain servers }
• [String] Network_Security_Restrict_NTLM_Outgoing_NTLM_traffic_to_remote_servers (Write) : Please see the link above for a full description. { Deny all accounts | Deny all domain accounts | Allow all }
• [String] Recovery_console_Allow_automatic_administrative_logon (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Recovery_console_Allow_floppy_copy_and_access_to_all_drives_and_folders (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] Shutdown_Clear_virtual_memory_pagefile (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] System_cryptography_Force_strong_key_protection_for_user_keys_stored_on_the_computer (Write) : Please see the link above for a full description. { User input is not required when new keys are stored and used | User must enter a password each time they use a key | User is prompted when the key is first used }
• [String] System_cryptography_Use_FIPS_compliant_algorithms_for_encryption_hashing_and_signing (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] System_objects_Require_case_insensitivity_for_non_Windows_subsystems (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] System_settings_Optional_subsystems (Write) : Please see the link above for a full description. { String }
• [String] System_settings_Use_Certificate_Rules_on_Windows_Executables_for_Software_Restriction_Policies (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode (Write) : Please see the link above for a full description. { Elevate without prompting | Prompt for consent | Prompt for credentials on the secure desktop | Prompt for credentials | Prompt for consent for non-Windows binaries | Prompt for consent on the secure desktop }
• [String] User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users (Write) : Please see the link above for a full description. { Prompt for crendentials | Prompt for credentials on the secure desktop | Automatically deny elevation request }
• [String] User_Account_Control_Detect_application_installations_and_prompt_for_elevation (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] User_Account_Control_Only_elevate_executables_that_are_signed_and_validated (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation (Write) : Please see the link above for a full description. { Disabled | Enabled }
• [String] User_Account_Control_Virtualize_file_and_registry_write_failures_to_per_user_locations (Write) : Please see the link above for a full description. { Disabled | Enabled }

Versions

Unreleased

• Bug fix - Max password age fails when setting to 0. Fixes Issue #121
• Bug fix - Domain_controller_LDAP_server_signing_requirements - Require Signing. Fixes Issue #122
• Bug fix - Network_security_Restrict_NTLM security options correct parameter validation. This fix could impact your systems.

2.8.0.0

• Bug fix - Issue 71 - Issue Added Validation Attributes to AccountPolicy & SecurityOption
• Bug fix - Network_security_Restrict_NTLM security option names now maps to correct keys. This fix could impact your systems.
• Updated LICENSE file to match the Microsoft Open Source Team standard. Fixes Issue #108
• Refactored the SID translation process to not throw a terminating error when called from Test-TargetResource
• Updated verbose message during the SID translation process to identify the policy where an orphaned SID exists
• Added the EType "FUTURE" to the security option "Network_security_Configure_encryption_types_allowed_for_Kerberos"
• Documentation update to include all valid settings for security options and account policies

2.7.0.0

• Bug fix - Issue 83 - Network_access_Remotely_accessible_registry_paths_and_subpaths correctly applies multiple paths
• Update LICENSE file to match the Microsoft Open Source Team standard

2.6.0.0

• Added SecurityOption - Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM
• Bug fix - Issue 105 - Spelling error in SecurityOption User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users
• Bug fix - Issue 90 - Corrected value for Microsoft_network_server_Server_SPN_target_name_validation_level policy

2.5.0.0

• Added handler for null value in SecurityOption
• Moved the helper module out from DSCResource folder to the Modules folder.
• Fixed SecurityPolicyResourceHelper.Tests.ps1 so it possible to run the tests locally.
• Fixed minor typos.

2.4.0.0

• Added additional error handling to ConvertTo-Sid helper function.

2.3.0.0

• Updated documentation.
  • Add example of applying Kerberos policies
  • Added hyper links to readme

2.2.0.0

• Fixed bug in UserRightAssignment where Get-DscConfiguration would fail if it returns $Identity as single string

2.1.0.0

• Updated SecurityOption to handle multi-line logon messages
• SecurityOption: Added logic and example to handle scenario when using Interactive_logon_Message_text_for_users_attempting_to_log_on

2.0.0.0

• Added SecurityOption and AccountPolicy
• Removed SecuritySetting

1.5.0.0

• Refactored user rights assignment to read and test easier.

1.4.0.0

• Fixed bug in which friendly name translation may fail if user or group contains 'S-'.
• Fixed bug identified in issue 33 and 34 where Test-TargetResource would return false but was true

1.3.0.0

• Added functionality to support BaselineManagement Module.
• Updated UserRightsAssignment resource to respect dynamic local accounts.
• Added SecuritySetting resource to process additional INF settings.

1.2.0.0

• SecurityTemplate: Remove [ValidateNotNullOrEmpty()] attribute for IsSingleInstance parameter
• Fixed typos

1.1.0.0

• SecurityTemplate:
  • Made SecurityTemplate compatible with Nano Server
  • Fixed bug in which Path parameter failed when no User section was present

1.0.0.0

• Initial release with the following resources:
  • UserRightsAssignment
  • SecurityTemplate