ayohrling / local_security_policy Goto Github PK

18.5.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled' (MS Only)

Info

LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
The recommended state for this setting is: 'Enabled'.
Rationale:
An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system.
Note: To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to 'Disable NetBIOS over TCP/IP' (on the WINS tab in the NIC properties).
Unfortunately, there is no global setting to achieve this that automatically applies to all NICs - it is a per-NIC setting that varies with different NIC hardware installations.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off multicast name resolution
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'DnsClient.admx/adml' that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Impact:
In the event DNS is unavailable a system will be unable to request it from other systems on the same subnet.

See Turn off multicast name resolution

18.5.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') (MS Only)

Info

This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names.

• A B-node (broadcast) system only uses broadcasts.
• A P-node (point-to-point) system uses only name queries to a name server (WINS).
• An M-node (mixed) system broadcasts first, then queries the name server (WINS).
• An H-node (hybrid) system queries the name server (WINS) first, then broadcasts.
  The recommended state for this setting is: 'NodeType - 0x2 (2)' (P-node / point-to-point).
  Rationale:
  In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to Pnode will prevent the system from sending out NetBIOS broadcasts.

Solution

To establish the recommended configuration, set the following Registry value to '0x2 (2) (DWORD)':
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters:NodeType
Note: This change does not take effect until the computer has been restarted.
Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template ('Set-NetBIOS-node-type-KB160177.adm') is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not 'undo' the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state.
Impact:
NetBIOS name resolution queries will require a defined and available WINS server for external NetBIOS name resolution. If a WINS server is not defined or not reachable, and the desired hostname is not defined in the local cache, local LMHOSTS or HOSTS files, NetBIOS name resolution will fail.

See NetBIOS Node Type

We are doing windows hardening by modifying LSP settings and modifying registry keys according to CIS standards but the current version of module does not support the LSP setting 'Accounts: Administrator Account Status'

Is it possible to have this feature available in this module?

A great module but I I have an issue with the modules execution of wmic when allowed to run during a normal puppet connect whereby I can see on the tsk manager that its hanging in the system.

But if I run a puppet agent -t, it works with no problems, any ideas?

18.5.14.1 Ensure 'Hardened UNC Paths' is set

Info

This policy setting configures secure access to UNC paths.
The recommended state for this setting is: 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares'.
Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the ''Privacy'' setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing.
Rationale:
In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template ('NetworkProvider.admx/adml') was also provided with the security update.
Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk:
'\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1'
'\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1'
Note: A reboot may be required after the setting is applied to a client machine to access the above paths.
Additional guidance on the deployment of this security setting is available from the Microsoft Premier Field Engineering (PFE) Platforms TechNet Blog here: Guidance on Deployment of MS15-011 and MS15-014.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled' with the following paths configured, at a minimum:
'\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1'
'\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1'
Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths
Note: This Group Policy path does not exist by default. An additional Group Policy template ('NetworkProvider.admx/adml') is required - it is included with the MS15-011 / MSKB 3000483 security update or with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
Impact:
Windows only allows access to the specified UNC paths after fulfilling additional security requirements.

18.8.21.4 Ensure 'Continue experiences on this device' is set to 'Disabled'

Info

This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences).
The recommended state for this setting is: 'Disabled'.
Rationale:
A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled':
Computer Configuration\Policies\Administrative Templates\System\Group Policy\Continue experiences on this device
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'GroupPolicy.admx/adml' that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
Impact:
The Windows device will not be discoverable by other devices, and cannot participate in cross-device experiences.

See Continue experiences on this device

18.1.3 Ensure 'Allow Online Tips' is set to 'Disabled'

Info

This policy setting configures the retrieval of online tips and help for the Settings app.
The recommended state for this setting is: 'Disabled'.
Rationale:
Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled':
Computer Configuration\Policies\Administrative Templates\Control Panel\Allow Online Tips
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'ControlPanel.admx/adml' that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
Impact:
Settings will not contact Microsoft content services to retrieve tips and help content.

Has anyone else had the issue where puppet keeps re-applying the user right assignments over and over? It looks like when the user rights are exported, they are exported as SIDs instead of usernames via the secedit tool. I have am supplying the username when I call the puppet type. The policy is updated properly, but it gets applied on every run.

18.5.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'

Info

This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
The recommended state for this setting is: 'Disabled'.
Rationale:
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled:'
Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation\Enable insecure guest logons
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'LanmanWorkstation.admx/adml' that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
Impact:
The SMB client will reject insecure guest logons.

See Enable insecure guest logons

When I issue fetch the resource 'Interactive logon: Machine inactivity limit' it returns with the incorrect value. I have it set to 900, but what gets returned is 4,900. I assume that the 4 is actually the reg_type.

C:\Windows\system32>puppet resource local_security_policy 'Interactive logon: Machine inactivity limit'
local_security_policy { 'Interactive logon: Machine inactivity limit':
ensure => 'present',
policy_setting => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
System\InactivityTimeoutSecs',
policy_type => 'Registry Values',
policy_value => '4,900',
}

I was trying to determine, does the module over write existing values in the lsp or merely append user supplied values to those in the lsp?
Thank you

18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'

Info

This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group.
For additional information, see Microsoft Knowledge Base article 324737: How to turn on automatic logon in Windows.
The recommended state for this setting is: 'Disabled'.
Rationale:
If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled':
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
Note: This Group Policy path does not exist by default. An additional Group Policy template ('MSS-legacy.admx/adml') is required - it is available from this TechNet blog post: The MSS settings -- Microsoft Security Guidance blog
Impact:
None - this is the default behavior.

18.1.2.2 Ensure 'Allow input personalization' is set to 'Disabled'

Info

This policy enables the automatic learning component of input personalization that includes > speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech.
The recommended state for this setting is: 'Disabled'.
Rationale:
If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled':
Computer Configuration\Policies\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'Globalization.admx/adml' that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
Impact:
Automatic learning of speech, inking, and typing stops and users cannot change its value via PC Settings.

18.8.22.1.10 Ensure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled'

Info

This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders.
The recommended state for this setting is: 'Enabled'.
Rationale:
Users may publish confidential or sensitive information to a public service outside of the control of the organization.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the 'Publish to Web' task for files and folders
Note: This Group Policy path is provided by the Group Policy template 'ICM.admx/adml' that is included with all versions of the Microsoft Windows Administrative Templates.
Impact:
The 'Publish to Web' task is removed from File and Folder tasks in Windows folders.

See Turn off the "Publish to Web" task for files and folders

18.5.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'

Info

The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope.
Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing.
The recommended state for this setting is: 'Enabled'.
Rationale:
This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services
Note: This Group Policy path is provided by the Group Policy template 'P2P-pnrp.admx/adml' that is included with all versions of the Microsoft Windows Administrative Templates.
Impact:
Microsoft Peer-to-Peer Networking Services are turned off in their entirety, and all applications dependent on them will stop working.

18.5.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'

Info

Although this 'legacy' setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016.
The recommended state for this setting is: 'Enabled'.
Rationale:
Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network
Note: This Group Policy path is provided by the Group Policy template 'NetworkConnections.admx/adml' that is included with all versions of the Microsoft Windows Administrative Templates.
Impact:
Mobile Hotspot cannot be enabled or configured by Administrators and non-Administrators alike.

If the legal notice has been set by the puppetlabs-MOTD module and the text contains \n spacing, the ayohrling-local_security_policy module reports an error that it could not parse the line.

Examples from the registry:
"legalnoticetext"="LEGAL NOTICE
This is a private computer system containing confidential information.
Any unauthorized attempt to access or use this computer system or any information on it by employees or other persons may result in
termination of employment, civil fines, and criminal penalties.

This system must be used for authorized business purposes only.    
"

Puppet code:
content => "LEGAL NOTICE
This is a private computer system containing confidential information.
Any unauthorized attempt to access or use this computer system or any information on it by employees or other persons may result in
termination of employment, civil fines, and criminal penalties.

This system must be used for authorized business purposes only.    
",

The above fails.

While this is not the complete message, this does work:
"legalnoticetext"="LEGAL NOTICE This is a private computer system containing confidential information. Any unauthorized attempt to access or use this computer system or any information"

Puppet code:
content => 'LEGAL NOTICE This is a private computer system containing confidential information. Any unauthorized attempt to access or use this computer system or any information',

18.8.22.1.12 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'

Info

This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used.
Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: 'Enabled'.
Rationale:
Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Customer Experience Improvement Program
Note: This Group Policy path is provided by the Group Policy template 'ICM.admx/adml' that is included with all versions of the Microsoft Windows Administrative Templates.
Impact:
All users are opted out of the Windows Customer Experience Improvement Program.

See Turn off Windows Customer Experience Improvement Program

Similar to the feature added to kpn/local_security_policy.
The ability to not clobber existing entries for a local policy would be ideal.
I am specifically looking at 'Deny log on locally' and 'Deny log on through Remote Desktop Services' when creating a service account used for device discovery it would be great to be able to add to the existing policy instead of purge.

Setting or merging User Rights
With Privilege Rights it is possible to set: the value or to merge: the values. When using the set: option, the policy_value is set as the desired value. Do not use '+' or '-' when using set:. When using the merge: option, the policy_value is merged with the existing value. '+' will add a value and '-' will remove a value. If you do not use set: or merge: then set: will be the default.

I need to manage the following security policy, which doesn't (yet) seem to be supported by this module:

18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
Info

Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.
The recommended state for this setting is: 'Enabled'.

Rationale:

Disabling the lock screen camera extends the protection afforded by the lock screen to camera features.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen camera
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template
'ControlPanelDisplay.admx/adml' that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
Impact:
If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen.

To start , I am just a beginner with Puppet , hence might have missed something very obvious.

After installing the module , when I run the agent I get the error :
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not autoload puppet/type/local_security_policy: interning empty string on node
tets2
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

At puppetmaster I see -
puppet describe file
Error: Could not autoload puppet/type/local_security_policy: interning empty string
Error: Could not run: Could not autoload puppet/type/local_security_policy: interning empty string

puppet module list
/etc/puppet/environments/production/modules
├── ayohrling-local_security_policy (v0.6.0)
├── badgerious-wmi_obj (v1.0.2)
├── puppetlabs-acl (v1.1.2)
├── puppetlabs-powershell (v2.0.3)
├── puppetlabs-registry (v1.1.3)
└── puppetlabs-stdlib (v4.13.1)
/etc/puppet/modules
├── aix (???)
├── custom (???)
├── linux (???)
└── windows (???)
/usr/share/puppet/modules (no modules installed)

18.8.22.1.13 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'

Info

This policy setting controls whether or not errors are reported to Microsoft.
Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product.
The recommended state for this setting is: 'Enabled'.
Rationale:
If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Error Reporting
Note: This Group Policy path is provided by the Group Policy template 'ICM.admx/adml' that is included with all versions of the Microsoft Windows Administrative Templates.
Impact:
Users are not given the option to report errors to Microsoft.

See Turn off Windows Error Reporting

18.3.5 Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'

Info

Enabling this Windows Defender feature will protect against Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications to deliver adware or malware.
The recommended state for this setting is: 'Enabled'.
For more information, see this link: Block Potentially Unwanted Applications with Windows Defender AV | Microsoft Docs
Rationale:
This opt-in feature is free and could prevent malicious software from being installed.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\MS Security Guide\Turn on Windows Defender protection against Potentially Unwanted Applications
Note: This Group Policy path does not exist by default. An additional Group Policy template ('SecGuide.admx/adml') is required - it is available from Microsoft at this link.
Impact:
Applications that are identified by Microsoft as PUA will be blocked at download and install time.

how to use this module for windows

Need to add unit tests across supported Puppet versions

18.8.22.1.11 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'

Info

This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience
Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose.
The recommended state for this setting is: 'Enabled'.
Rationale:
Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program
Note: This Group Policy path is provided by the Group Policy template 'ICM.admx/adml' that is included with all versions of the Microsoft Windows Administrative Templates.
Impact:
Windows Messenger will not collect usage information, and the user settings to enable the collection of usage information will not be shown.

See Turn off the Windows Messenger Customer Experience Improvement Program.

18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')

Info

Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively.
The recommended state for this setting is: 'DisabledComponents - 0xff (255)'
Rationale:
Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed.

Solution

To establish the recommended configuration, set the following Registry value to '0xff (255) (DWORD)':
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:DisabledComponents
Note: This change does not take effect until the computer has been restarted.
Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template ('Disable-IPv6-Components-KB929852.adm') is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not 'undo' the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state.
Impact:
Connectivity to other systems using IPv6 will no longer operate, and software that depends on IPv6 will cease to function. Examples of Microsoft applications that may use IPv6 include: Remote Assistance, HomeGroup, DirectAccess, Windows Mail.
This registry change is documented in Microsoft Knowledge Base article 929852: How to disable IPv6 or its components in Windows.
Note: This registry change does not take effect until the next reboot.

See IPv6 Configuration Policy

Hi, i tried to use the module, but won't get it to work.
This is the trace file,

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Could not autoload puppet/type/local_security_policy: undefined method path' for nil:NilClass at /etc/puppetlabs/code/environments/test/modules/base/manifests/mssql.pp:16:5 on node test01.test.lab C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/indirector/rest.rb:208:inis_http_200?'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/indirector/rest.rb:106:infind' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/indirector/indirection.rb:194:infind'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/configurer.rb:377:in block in retrieve_new_catalog' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/util.rb:386:inblock in thinmark'
C:/Program Files/Puppet Labs/Puppet/sys/ruby/lib/ruby/2.1.0/benchmark.rb:294:inrealtime' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/util.rb:385:inthinmark'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/configurer.rb:376:in retrieve_new_catalog' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/configurer.rb:78:inretrieve_catalog'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/configurer.rb:147:in prepare_and_retrieve_catalog' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/configurer.rb:281:inrun_internal'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/configurer.rb:186:in block in run' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/context.rb:65:inoverride'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet.rb:240:in override' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/configurer.rb:185:inrun'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/agent.rb:45:in block (4 levels) in run' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/agent/locker.rb:21:inlock'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/agent.rb:45:in block (3 levels) in run' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/agent.rb:98:inwith_client'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/agent.rb:42:in block (2 levels) in run' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/agent.rb:65:inrun_in_fork'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/agent.rb:41:in block in run' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/application.rb:179:incall'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/application.rb:179:in controlled_run' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/agent.rb:39:inrun'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/application/agent.rb:353:in onetime' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/application/agent.rb:331:inrun_command'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/application.rb:344:in block in run' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/util.rb:540:inexit_on_fail'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/application.rb:344:in run' C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/util/command_line.rb:128:inrun'
C:/Program Files/Puppet Labs/Puppet/puppet/lib/puppet/util/command_line.rb:72:in execute' C:/Program Files/Puppet Labs/Puppet/puppet/bin/puppet:5:in

Any clue what is going wrong?

18.8.14.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'

Info

This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:

• 'Good': The driver has been signed and has not been tampered with.
• 'Bad': The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
• 'Bad, but required for boot': The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
• 'Unknown': This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
  If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.
  If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
  The recommended state for this setting is: 'Enabled: Good, unknown and bad but critical'.
  Rationale:
  This policy setting helps reduce the impact of malware that has already infected your system.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled:' 'Good, unknown and bad but critical:'
Computer Configuration\Policies\Administrative Templates\System\Early Launch Antimalware\Boot-Start Driver Initialization Policy
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'EarlyLaunchAM.admx/adml' that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Impact:
None - this is the default behavior.

See Boot-Start Driver Initialization Policy

I have a node definition to configure a local security policy like this:

local_security_policy { 'Minimum password age':
  ensure        => present,
  policy_value  => '1',
}

But when I run puppet agent -t --debug I get the following error:

...
Debug: Puppet::Type::Local_security_policy::ProviderPolicy: file wmic does not exist
Debug: Puppet::Type::Local_security_policy::ProviderPolicy: file wmic does not exist
Debug: Node[tst-server]: Resource is being skipped, unscheduling all events
Debug: Class[Main]: Resource is being skipped, unscheduling all events
Debug: Stage[main]: Resource is being skipped, unscheduling all events
Info: Stage[main]: Unscheduling all events on Stage[main]
Error: Could not find a suitable provider for local_security_policy

Any idea on how to fix/further diagnose why my configuration isn't working?

On the node the puppet resource local_security_policy commands work fine. The node is running Windows Server 2008 R2 with Puppet 4.5.0.

18.5.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'

Info

This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider.
The recommended state for this setting is: 'Disabled'.
Rationale:
In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled':
Computer Configuration\Policies\Administrative Templates\Network\Fonts\Enable Font Providers
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'GroupPolicy.admx/adml' that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
Impact:
Windows will not connect to an online font provider and will only enumerate locally-installed fonts.

See Enable Font Providers

18.4.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set

Info

Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled.
The recommended state for this setting is: 'Enabled: 5 or fewer seconds'.
Rationale:
The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period.
Solution
To establish the recommended configuration via GP, set the following UI path to 'Enabled: 5 or fewer seconds':
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Note: This Group Policy path does not exist by default. An additional Group Policy template ('MSS-legacy.admx/adml') is required - it is available from this TechNet blog post: The MSS settings -- Microsoft Security Guidance blog
Impact:
Users will have to enter their passwords to resume their console sessions as soon as the grace period ends after screen saver activation.

18.3.6 Ensure 'WDigest Authentication' is set to 'Disabled'

Info

When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.
For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents.
For more information about 'UseLogonCredential', see Microsoft Knowledge Base article 2871997: Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014.
The recommended state for this setting is: 'Disabled'.
Rationale:
Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled':
Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDigest Authentication (disabling may require KB2871997)
Note: This Group Policy path does not exist by default. An additional Group Policy template ('SecGuide.admx/adml') is required - it is available from Microsoft at this link.
Impact:
None - this is also the default configuration for Server 2012 R2 and newer.

18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'

Info

The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The recommended state for this setting is: 'Enabled: FALSE' (unchecked).
Rationale:
Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled', then set the 'Do not apply during periodic background processing' option to 'FALSE' (unchecked):
Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure registry policy processing
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'GroupPolicy.admx/adml' that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Impact:
Group Policies will be reapplied every time they are refreshed, which could have a slight impact on performance.

See Configure registry policy processing

Hi,

When running the module as a non-local user (e.g. an AD-user with local admin rights) the method 'local_users' using WMIC.exe dumps the complete list of users and group present in the Active Directory. Depending on the size and speed, this can take anywhere from 5 to 15 minutes in my experience. This takes place on every Puppet run and makes coding/testing very difficult.

@ayohrling Is there a reason the way it is implemented now? Do we need the complete list of objects/SIDs? Is it possible to cache this information and only expire it after a certain time? Or can we query the AD for the information when needed for a particular user/group?

There are gems for querying the AD from Ruby natively (using LDAP) but before I explore that route I would like to know the rationale for the current implementation.

Gerben

18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)

Info

In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed.
The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details.
LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain.
The recommended state for this setting is: 'Enabled'.
Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations.
Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations.
Rationale:
Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\LAPS\Enable Local Admin Password Management
Note: This Group Policy path does not exist by default. An additional Group Policy template ('AdmPwd.admx/adml') is required - it is included with Microsoft Local Administrator Password Solution (LAPS).
Impact:
The local administrator password is managed (provided that the LAPS AdmPwd GPO Extension / CSE is installed on the target computer (see Rule 18.2.1), the Active Directory domain schema and account permissions have been properly configured on the domain).
In a disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using a tool (such as Microsoft's Disaster and Recovery Toolset (DaRT) Recovery Image) may be necessary.Info

Need to add syntax and linting

18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'

Info

The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed.
The recommended state for this setting is: 'Enabled: TRUE' (checked).
Rationale:
Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled', then set the 'Process even if the Group Policy objects have not changed' option to 'TRUE' (checked):
Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure registry policy processing
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'GroupPolicy.admx/adml' that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Impact:
Group Policies will be reapplied even if they have not been changed, which could have a slight impact on performance.

See Configure registry policy processing

This seems to time out on my system.

You can use puppet resource local_security_policy 'Log on as a service' to get the current values

Was just curious if anyone else was using something similar to:

local_security_policy{'Log on as a service':
   ensure => present,
   policy_setting => 'SeServiceLogonRight',
   policy_type     => 'Privilege Rights',
   policy_value   => 'values_go_here'
}

18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to Enabled' (MS only)

Info

In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed.
The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain.
The recommended state for this setting is: 'Enabled'.
Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations.
Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations.
Rationale:
Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\LAPS\Do not allow password expiration time longer than required by policy
Note: This Group Policy path does not exist by default. An additional Group Policy template ('AdmPwd.admx/adml') is required - it is included with Microsoft Local Administrator Password Solution (LAPS).
Impact:
Planned password expiration longer than password age dictated by 'Password Settings' policy is NOT allowed.

18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'

Info

Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
The recommended state for this setting is: 'Enabled'.
Rationale:
Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen slide show
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'ControlPanelDisplay.admx/adml' that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
Impact:
If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.

As I'm connecting from work, I sadly cannot submit a remedy myself. Found a case typo that was causing a bunch of headaches. See below for what I did locally (just lower cased Auditing):

class SecurityPolicy
attr_reader :wmic_cmd

•  EVENT_TYPES = ["Success,Failure", "Success", "Failure", "No Auditing", 0, 1, 2, 3]
  

• EVENT_TYPES = ["Success,Failure", "Success", "Failure", "No auditing", 0, 1, 2, 3]
  

Recently all domain controllers started showing errors. Please, see end of the message.
It works fine on member servers. But domain controllers are not.
Have to disable all items that apply string values like below
local_security_policy { 'Create global objects':
ensure => 'present',
policy_value => 'Administrators',
}

C:\Windows\system32>puppet agent -t
Notice: Local environment: 'production' doesn't match server specified node envi
ronment 'test', switching agent to 'test'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for v001isdevdc01.devebank.com
Error: Failed to apply catalog: Parameter policy_value failed on Local_security_
policy[Create global objects]: Munging failed for value "Administrators" in clas
s policy_value: incomplete "\x00" on UTF-16LE at /etc/puppetlabs/code/environmen
ts/test/modules/easternbank_security_windows_dc/manifests/user_rights.pp:504

C:\Windows\system32>

18.4.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'

Info

The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:

• Search folders specified in the system path first, and then search the current working folder.
• Search current working folder first, and then search the folders specified in the system path.
  When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path.
  Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems.
  The recommended state for this setting is: 'Enabled'.
  Rationale:
  If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render.
  Solution
  To establish the recommended configuration via GP, set the following UI path to 'Enabled':
  Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
  Note: This Group Policy path does not exist by default. An additional Group Policy template ('MSS-legacy.admx/adml') is required - it is available from this TechNet blog post: The MSS settings -- Microsoft Security Guidance blog
  Impact:
  None - this is the default behavior.

Could not evaluate: undefined method `[]' for nil:NilClass

This seems to be happening while using the following code

local_security_policy { 'Network access: Let Everyone permissions apply to anonymous users':
    ensure         => 'present',
    policy_setting => 'MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous',
    policy_type    => 'Registry Values',
    policy_value   => '0',
  }

ayohrling-local_security_policy-0.5.5\spec\unit\puppet\type\local_security_policy\local_security_policy_spec
:policy_value => 'xuccess,Failure',

xucces

18.8.22.1.12 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'

Info

This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used.
Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: 'Enabled'.
Rationale:
Large enterprise managed environments may not want to have information collected by Microsoft from managed client
computers.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Customer Experience Improvement Program
Note: This Group Policy path is provided by the Group Policy template 'ICM.admx/adml' that is included with all versions of the Microsoft Windows Administrative Templates.
Impact:
All users are opted out of the Windows Customer Experience Improvement Program.

See Turn off Windows Customer Experience Improvement Program

There seems to be an issue when using the privilege rights policy type when it comes to mapping users to sids. Puppet thinks that it needs to update something when a username is supplied instead of the sid. We just need to change when we covert the sid to a human readable name so that puppet does not get confused.

Notice: /Stage[main]/Main/Local_security_policy[Log on as a service]/policy_valu
e: policy_value changed 'sshd_server,*S-1-5-80-0' to '*S-1-5-21-2779173042-37658
3331-3911003981-1003,*S-1-5-80-0'
Notice: Finished catalog run in 2.06 seconds

This occurs when the following code is applied

local_security_policy { 'Log on as a service':
  ensure         => 'present',
  policy_setting => 'SeServiceLogonRight',
  policy_type    => 'Privilege Rights',
  policy_value   => 'sshd_server,*S-1-5-80-0',
}