dsccommunity / securitypolicydsc Goto Github PK

A wrapper around secedit.exe to configure local security policies

License: MIT License

PowerShell 100.00%

securitypolicydsc's Introduction

SecurityPolicyDsc

A wrapper around secedit.exe to allow you to configure local security policies. This resource requires a Windows OS with secedit.exe.

Code of Conduct

This project has adopted this Code of Conduct.

Releases

For each merge to the branch master a preview release will be deployed to PowerShell Gallery. Periodically a release version tag will be pushed which will deploy a full release to PowerShell Gallery.

Contributing

Please check out common DSC Community contributing guidelines.

Change log

A full list of changes in each version can be found in the change log.

Resources

AccountPolicy: Configures the policies under the Account Policy node in local security policies.
SecurityOption: Configures the policies under the Security Options node in local security policies.
SecurityTemplate: Configures user rights assignments that are defined in an INF file.
UserRightsAssignment: Configures user rights assignments in local security policies.

AccountPolicy

For further explanation of these settings, please consult Account Policies Reference.

Parameter	Attribute	DataType	Description	Allowed Values
Name	Key	String	A unique name of the AccountPolicy resource instance. This is not used during configuration.
Enforce_password_history	Write	Uint32	Specifies the number of unique new passwords that must be associated with a user account before an old password can be reused. A number from 0 through 24 can be specified
Maximum_Password_Age	Write	Uint32	Specifies the period of time (in days) that a password can be used before the system requires the user to change it. A number from 0 through 999 can be specified, with 0 meaning the password will never expire
Minimum_Password_Age	Write	Uint32	Specifies the period of time (in days) that a password must be used before the user can change it. A number from 0 to 998 can be specified
Minimum_Password_Length	Write	Uint32	Specifies the least number of characters that can make up a password for a user account. A number from 0 to 14 can be specified
Password_must_meet_ complexity_requirements	Write	String	Specifies whether passwords must meet a series of guidelines that are considered important for a strong password	Enabled, Disabled
Store_passwords_using_ reversible_encryption	Write	String	Specifies whether passwords are stored in a way that is reversible to provides support for applications that use protocols that require the user's password for authentication	Enabled, Disabled
Account_lockout_duration	Write	Uint32	Specifies the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. A number from 1 through 99,999 can be specified
Account_lockout_threshold	Write	Uint32	Specifies the number of failed sign-in attempts that will cause a user account to be locked
Reset_account_lockout_ counter_after	Write	Uint32	Specifies the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0

Note: The below settings pertain to Kerberos policies and must be set by a member in the domain admins group.

Parameter	Attribute	DataType	Description	Allowed Values
Enforce_user_logon_ restrictions	Write	String	Specifies whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account	Enabled, Disabled
Maximum_lifetime_ for_service_ticket	Write	Uint32	Specifies the maximum number of minutes that a granted session ticket can be used to access a particular service. A number from 10 to the value of the 'Maximum lifetime for service ticket' policy setting can be specified
Maximum_lifetime_ for_user_ticket	Write	Uint32	Specifies the maximum amount of time (in hours) that a user's ticket-granting ticket can be used. A number from 0 to 99,999 can be specified
Maximum_lifetime_ for_user_ticket_ renewal	Write	Uint32	Specifies the period of time (in days) during which a user's ticket-granting ticket can be renewed. A number from 0 to 99,999 can be specified
Maximum_tolerance_ for_computer_clock_ synchronization	Write	Uint32	Specifies the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication

SecurityOption

For further explanation of these settings, please consult Security Options Reference.

Parameter	Attribute	DataType	Description	Allowed Values
Name	Key	String	Describes the security option to be managed. This could be anything as long as it is unique
Accounts_Administrator_ account_status	Write	String	Determines whether the local Administrator account is enabled or disabled	Enabled, Disabled
Accounts_Block_ Microsoft_accounts	Write	String	Prevents using the Settings app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.	This policy is disabled, Users cant add Microsoft accounts, Users cant add or log on with Microsoft accounts
Accounts_Guest_ account_status	Write	String	Determines whether the Guest account is enabled or disabled	Enabled, Disabled
Accounts_Limit_local_ account_use_of_blank_ passwords_to_console_ logon_only	Write	String	Determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords	Enabled, Disabled
Accounts_Rename_ administrator_account	Write	String	Determines whether a different account name is associated with the security identifier (SID) for the administrator account
Accounts_Rename_ guest_account	Write	String	Determines whether a different account name is associated with the security identifier (SID) for the Guest account
Audit_Audit_the_ access_of_global_ system_objects	Write	String	If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS devices. If you also enable the Audit object access audit setting, access to these system objects is audited	Enabled, Disabled
Audit_Audit_the_ use_of_Backup_and_ Restore_privilege	Write	String	Determines whether to audit the use of all user rights, including Backup and Restore, when the Audit privilege use policy setting is configured	Enabled, Disabled
Audit_Force_audit_ policy_subcategory_ settings_Windows_ Vista_or_later_to_ override_audit_policy_ category_settings	Write	String	Allows you to manage your audit policy in a more precise way by using audit policy subcategories	Enabled, Disabled
Audit_Shut_down_ system_immediately_ if_unable_to_log_ security_audits	Write	String	Determines whether the system shuts down if it is unable to log security events	Enabled, Disabled
DCOM_Machine_Access_ Restrictions_in_ Security_Descriptor_ Definition_Language_ SDDL_syntax	Write	String	Allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM) based applications on a device
DCOM_Machine_Launch_ Restrictions_in_ Security_Descriptor_ Definition_Language_ SDDL_syntax	Write	String	Allows you to define additional computer-wide controls that govern access to all DCOM based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device
Devices_Allow_undock_ without_having_to_ log_on	Write	String	Enables or disables the ability of a user to remove a portable device from a docking station without logging on	Enabled, Disabled
Devices_Allowed_to_ format_and_eject_ removable_media	Write	String	Determines who is allowed to format and eject removable media.	Administrators, Administrators and Power Users, Administrators and Interactive Users
Devices_Prevent_ users_from_installing_ printer_drivers	Write	String	Determines who can install a printer driver as part of adding a network printer	Enabled, Disabled
Devices_Restrict_ CD_ROM_access_to_ locally_logged_on_ user_only	Write	String	Determines whether a CD is accessible to local and remote users simultaneously	Enabled, Disabled
Devices_Restrict_ floppy_access_to_ locally_logged_on_ user_only	Write	String	Determines whether removable floppy disks are accessible to local and remote users simultaneously	Enabled, Disabled
Domain_controller_ Allow_server_operators_ to_schedule_tasks	Write	String	Determines whether server operators can use the 'at' command to submit jobs.	Enabled, Disabled
Domain_controller_ LDAP_server_ signing_requirements	Write	String	Determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing	None, Require Signing
Domain_controller_ Refuse_machine_ account_password_ changes	Write	String	Enables or disables blocking a domain controller from accepting password change requests for machine accounts	Enabled, Disabled
Domain_member_ Digitally_encrypt_ or_sign_secure_ channel_data_always	Write	String	Determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted	Enabled, Disabled
Domain_member_ Digitally_encrypt_ secure_channel_data_ when_possible	Write	String	Determines whether all secure channel traffic that is initiated by the domain member must be encrypted	Enabled, Disabled
Domain_member_ Digitally_sign_ secure_channel_data_ when_possible	Write	String	Determines whether all secure channel traffic that is initiated by the domain member must be signed	Enabled, Disabled
Domain_member_ Disable_machine_ account_password_ changes	Write	String	Determines whether a domain member periodically changes its machine account password	Enabled, Disabled
Domain_member_ Maximum_machine_ account_password_age	Write	String	Determines when a domain member submits a password change
Domain_member_ Require_strong_ Windows_2000_or_ later_session_key	Write	String	Determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key	Enabled, Disabled
Interactive_logon_ Display_user_ information_when_ the_session_is_locked	Write	String	Controls whether details such as email address or domain\username appear with the username on the sign-in screen	User displayname, domain and user names, User display name only, Do not display user information
Interactive_logon_ Do_not_display_ last_user_name	Write	String	Determines whether the name of the last user to log on to the device is displayed on the Secure Desktop	Enabled, Disabled
Interactive_logon_ Do_not_require_ CTRL_ALT_DEL	Write	String	Determines whether pressing CTRL+ALT+DEL is required before a user can log on	Enabled, Disabled
Interactive_logon_ Machine_account_ lockout_threshold	Write	String	Allows you to set a threshold for the number of failed logon attempts that causes the device to be locked by using BitLocker
Interactive_logon_ Machine_inactivity_limit	Write	String	Specifies the amount of inactive time before the user's session locks by invoking the screen saver
Interactive_logon_ Message_text_for_ users_attempting_ to_log_on	Write	String	Specifies a text message to be displayed to users when they log on
Interactive_logon_ Message_title_for_ users_attempting_ to_log_on	Write	String	Specifies a message title to be displayed to users when they log on
Interactive_logon_ Number_of_previous_ logons_to_cache_in_ case_domain_controller_ is_not_available	Write	String	Determines whether a user can log on to a Windows domain by using cached account information
Interactive_logon_ Prompt_user_to_ change_password_ before_expiration	Write	String	Determines how many days in advance users are warned that their passwords are about to expire
Interactive_logon_ Require_Domain_ Controller_ authentication_to_ unlock_workstation	Write	String	Determines whether it is necessary to contact a domain controller to unlock a device	Enabled, Disabled
Interactive_logon_ Require_smart_card	Write	String	Requires users to log on to a device by using a smart card	Enabled, Disabled
Interactive_logon_ Smart_card_removal_ behavior	Write	String	Determines what happens when the smart card for a logged-on user is removed from the smart card reader	No Action, Lock workstation, Force logoff, Disconnect if a remote Remote Desktop Services session
Microsoft_network_ client_Digitally_ sign_communications_ always	Write	String	If this policy setting is enabled, SMBv2 clients will digitally sign all packets	Enabled, Disabled
Microsoft_network_ client_Digitally_sign_ communications_if_ server_agrees	Write	String	If this policy setting is enabled, SMBv2 clients will digitally sign all packets if the server agrees	Enabled, Disabled
Microsoft_network_ client_Send_ unencrypted_ password_to_third_ party_SMB_servers	Write	String	Allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication	Enabled, Disabled
Microsoft_network_ server_Amount_ of_idle_time_ required_before_ suspending_session	Write	String	Determines the amount of continuous idle time that must pass in an SMB session before the session is suspended due to inactivity
Microsoft_network_ server_Attempt_ S4U2Self_to_obtain_ claim_information	Write	String	Specifies whether a Windows file server will attempt to use the Kerberos S4U2Self feature to obtain a claim-enabled access token for the client prinicipal if required.	Default, Enabled, Disabled
Microsoft_network_ server_Digitally_ sign_communications_ always	Write	String	Specifies whether an SMB server requires SMB network packets to be digitally signed	Enabled, Disabled
Microsoft_network_ server_Digitally_ sign_communications_ if_client_agrees	Write	String	Specifies whether an SMB server will negotaite to digitally sign SMB network packets with a client	Enabled, Disabled
Microsoft_network_ server_Disconnect_ clients_when_logon_ hours_expire	Write	String	Enables or disables the forced disconnection of users who are connected to the local device using SMB outside their user account's valid logon hours	Enabled, Disabled
Microsoft_network_ server_Server_SPN_ target_name_ validation_level	Write	String	Controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client device when the client device establishes a session by using the Server Message Block (SMB) protocol	Off, Accept if provided by client, Required from client
*Network_access Allow_anonymous* SID_Name_translation**	Write	String	Enables or disables the ability of an anonymous user to request security identifier (SID) attributes for another user	Enabled, Disabled
Network_access_ Do_not_allow_ anonymous_ enumeration_ of_SAM_accounts	Write	String	Determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares	Enabled, Disabled
Network_access_ Do_not_allow_ anonymous_ enumeration_ of_SAM_accounts_ and_shares	Write	String	Determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares	Enabled, Disabled
Network_access_ Do_not_allow_storage_ of_passwords_and_ credentials_for_ network_authentication	Write	String	Determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication	Enabled, Disabled
Network_access_ Let_Everyone_ permissions_apply_ to_anonymous_users	Write	String	Determines what additional permissions are granted for anonymous connections to the device. If you enable this policy setting, anonymous users can enumerate the names of domain accounts and shared folders and perform certain other activities	Enabled, Disabled
Network_access_ Named_Pipes_that_ can_be_accessed_ anonymously	Write	String	Determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access
Network_access_ Remotely_accessible_ registry_paths	Write	String	Determines which registry paths are accessible when an application or process references the WinReg key to determine access permissions
Network_access_ Remotely_accessible_ registry_paths_and_ subpaths	Write	String	Determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions
Network_access_ Restrict_anonymous_ access_to_Named_ Pipes_and_Shares	Write	String	Enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the 'Network access: Named pipes that can be accessed anonymously' and 'Network access: Shares that can be accessed anonymously' settings	Enabled, Disabled
Network_access_ Restrict_clients_ allowed_to_make_ remote_calls_to_SAM	Write	String[]	The Permission and Identity required for restricted remote Sam access
Network_access_ Shares_that_can_be_ accessed_anonymously	Write	String	Determines which shared folders can be accessed by anonymous users
Network_access_ Sharing_and_security_ model_for_local_ accounts	Write	String	Determines how network logons that use local accounts are authenticated	Classic - Local users authenticate as themselves, Guest only - Local users authenticate as Guest
Network_security_ Allow_Local_System_ to_use_computer_ identity_for_NTLM	Write	String	Determines what identity to use for services running as Local System when NTLM is used	Enabled, Disabled
Network_security_ Allow_LocalSystem_ NULL_session_fallback	Write	String	Determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility	Enabled, Disabled
Network_Security_ Allow_PKU2U_ authentication_requests_ to_this_computer_ to_use_online_identities	Write	String	Determines whether authentication is allowed between two or more computers that have established a peer relationship through the use of online IDs	Enabled, Disabled
Network_security_ Configure_encryption_ types_allowed_for_ Kerberos	Write	String[]	Allows you to set the encryption types that the Kerberos protocol is allowed to use	DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, FUTURE
Network_security_ Do_not_store_LAN_ Manager_hash_value_ on_next_password_ change	Write	String	Determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed	Enabled, Disabled
Network_security_ Force_logoff_when_ logon_hours_expire	Write	String	Determines whether to disconnect users who are connected to the local device using SMB outside their user account's valid logon hours	Enabled, Disabled
Network_security_ LAN_Manager_ authentication_level	Write	String	Determines which challenge or response authentication protocol is used for network logons	Send LM & NTLM responses, Send LM & NTLM - use NTLMv2 session security if negotiated, Send NTLM responses only, Send NTLMv2 responses only, Send NTLMv2 responses only. Refuse LM, Send NTLMv2 responses only. Refuse LM & NTLM
Network_security_ LDAP_client_ signing_requirements	Write	String	Determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests	None, Negotiate Signing, Require Signing
Network_security_ Minimum_session_ security_for_NTLM_ SSP_based_including_ secure_RPC_clients	Write	String	Allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security	Require NTLMv2 session security, Require 128-bit encryption, Both options checked
Network_security_ Minimum_session_ security_for_NTLM_ SSP_based_including_ secure_RPC_servers	Write	String	Allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security	Require NTLMv2 session security, Require 128-bit encryption, Both options checked
Network_security_ Restrict_NTLM_ Add_remote_server_ exceptions_for_ NTLM_authentication	Write	String	Allows you to create an exception list of remote servers to which client devices are allowed to use NTLM authentication if the 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' policy setting is configured
Network_security_ Restrict_NTLM_ Add_server_exceptions_ in_this_domain	Write	String	Allows you to create an exception list of servers in this domain to which client device are allowed to use NTLM pass-through authentication if any of the deny options are set in the 'Network Security: Restrict NTLM: NTLM authentication in this domain' policy setting
Network_Security_ Restrict_NTLM_ Incoming_NTLM_Traffic	Write	String	Allows you to deny or allow incoming NTLM traffic from client computers, other member servers, or a domain controller	Allow all, Deny all domain accounts, Deny all accounts
Network_Security_ Restrict_NTLM_ NTLM_authentication_ in_this_domain	Write	String	Allows you to deny or allow NTLM authentication within a domain from this domain controller	Disable, Deny for domain accounts to domain servers, Deny for domain accounts, Deny for domain servers, Deny all
Network_Security_ Restrict_NTLM_ Outgoing_NTLM_traffic_ to_remote_servers	Write	String	Allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system	Allow all, Audit all, Deny all
Network_Security_ Restrict_NTLM_ Audit_Incoming_ NTLM_Traffic	Write	String	Allows you to audit incoming NTLM traffic	Disabled, Enable auditing for domain accounts, Enable auditing for all accounts
Network_Security_ Restrict_NTLM_ Audit_NTLM_ authentication_ in_this_domain	Write	String	Allows you to audit on the domain controller NTLM authentication in that domain	Disable, Enable for domain accounts to domain servers, Enable for domain accounts, Enable for domain servers, Enable all
Recovery_console_ Allow_automatic_ administrative_logon	Write	String	Determines whether the built-in Administrator account password must be provided before access to the Recovery Console on the device is granted	Enabled, Disabled
Recovery_console_ Allow_floppy_ copy_and_access_ to_all_drives_and_ folders	Write	String	Enables or disables the Recovery Console SET command	Enabled, Disabled
Shutdown_Allow_ system_to_be_shut_ down_without_having_ to_log_on	Write	String	Determines whether a device can be shut down without having to log on to Windows	Enabled, Disabled
Shutdown_Clear_ virtual_memory_ pagefile	Write	String	Determines whether the virtual memory paging file is cleared when the device is shut down	Enabled, Disabled
System_cryptography_ Force_strong_ key_ protection_for_user_ keys_stored_on_the_ computer	Write	String	Determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password	User input is not required when new keys are stored and used, User is prompted when the key is first used, User must enter a password each time they use a key
System_cryptography_ Use_FIPS_compliant_ algorithms_for_ encryption_hashing_ and_signing	Write	String	Determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite	Enabled, Disabled
System_objects_ Require_case_ insensitivity_for_ non_Windows_ subsystems	Write	String	Determines whether case insensitivity is enforced for all subsystems	Enabled, Disabled
System_objects_ Strengthen_default_ permissions_of_ internal_system_objects_ eg_Symbolic_Links	Write	String	Determines the strength of the default discretionary access control list (DACL) for objects	Enabled, Disabled
System_settings_ Optional_subsystems	Write	String	Determines which subsystems support your applications
System_settings_ Use_Certificate_ Rules_on_Windows_ Executables_for_ Software_Restriction_ Policies	Write	String	Determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension	Enabled, Disabled
User_Account_Control_ Admin_Approval_ Mode_for_the_Built_in_ Administrator_account	Write	String	Determines the behavior of Admin Approval Mode for the built-in administrator account	Enabled, Disabled
User_Account_Control_ Allow_UIAccess_ applications_to_prompt_ for_elevation_without_ using_the_secure_ desktop	Write	String	Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user	Enabled, Disabled
User_Account_Control_ Behavior_of_the_ elevation_prompt_for_ administrators_ in_Admin_Approval_ Mode	Write	String	Determines the behavior of the elevation prompt for accounts that have administrative credentials	Elevate without prompting, Prompt for credentials on the secure desktop, Prompt for consent on the secure desktop, Prompt for credentials, Prompt for consent, Prompt for consent for non-Windows binaries
User_Account_Control_ Behavior_of_the_ elevation_prompt_for_ standard_users	Write	String	Determines the behavior of the elevation prompt for standard users	Automatically deny elevation request, Prompt for credentials on the secure desktop, Prompt for credentials
User_Account_Control_ Detect_application_ installations_and_ prompt_for_elevation	Write	String	Determines the behavior of application installation detection for the entire system	Enabled, Disabled
User_Account_Control_ Only_elevate_ executables_that_are_ signed_and_validated	Write	String	Enforces public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege	Enabled, Disabled
User_Account_Control_ Only_elevate_UIAccess_ applications_that_are_ installed_in_secure_ locations	Write	String	Enforces the requirement that apps that request running with a UIAccess integrity level (by means of a marking of UIAccess=true in their app manifest), must reside in a secure location on the file system	Enabled, Disabled
User_Account_Control_ Run_all_administrators_ in_Admin_Approval_ Mode	Write	String	Determines the behavior of all User Account Control (UAC) policies for the entire system	Enabled, Disabled
User_Account_Control_ Switch_to_the_secure_ desktop_when_ prompting_for_elevation	Write	String	Determines whether the elevation request prompts on the interactive user desktop or on the secure desktop	Enabled, Disabled
User_Account_Control_ Virtualize_file_and_ registry_write_failures_ to_per_user_locations	Write	String	Enables or disables the redirection of the write failures of earlier applications to defined locations in the registry and the file system	Enabled, Disabled

SecurityTemplate

Parameter	Attribute	DataType	Description	Allowed Values
IsSingleInstance	Key	String	Specifies the resource is a single instance, the value must be 'Yes'	Yes
Path	Required	String	The path to the desired security policy template (.inf)

UserRightsAssignment

Parameter	Attribute	DataType	Description	Allowed Values
Policy	Key	String	The policy name of the user rights assignment to be configured.	Create_a_token_object, Access_this_computer_from_the_network, Change_the_system_time, Deny_log_on_as_a_batch_job, Deny_log_on_through_Remote_Desktop_Services, Create_global_objects, Remove_computer_from_docking_station, Deny_access_to_this_computer_from_the_network, Act_as_part_of_the_operating_system, Modify_firmware_environment_values, Deny_log_on_locally, Access_Credential_Manager_ as_a_trusted_caller, Restore_files_and_directories, Change_the_time_zone, Replace_a_process_level_token, Manage_auditing_and_security_log, Create_symbolic_links, Modify_an_object_label, Enable_computer_and_user_accounts_ to_be_trusted_for_delegation, Generate_security_audits, Increase_a_process_working_set, Take_ownership_of_files_ or_other_objects, Bypass_traverse_checking, Log_on_as_a_service, Shut_down_the_system, Lock_pages_in_memory, Impersonate_a_client_ after_authentication, Profile_system_performance, Debug_programs, Profile_single_process, Allow_log_on_through_ Remote_Desktop_Services, Allow_log_on_locally, Increase_scheduling_priority, Synchronize_directory_service_data, Add_workstations_to_domain, Adjust_memory_quotas_for_a_process, Obtain_an_impersonation_token_for_ another_user_in_the_same_session, Perform_volume_maintenance_tasks, Load_and_unload_device_drivers, Force_shutdown_from_a_remote_system, Back_up_files_and_directories, Create_a_pagefile, Deny_log_on_as_a_service, Log_on_as_a_batch_job, Create_permanent_shared_objects
Identity	Required	String[]	The identity of the user or group to be added or removed from the user rights assignment.
Force	Write	Boolean	Specifies to explicitly assign only the identities defined
Ensure	Write	String	Desired state of resource.	Present, Absent

securitypolicydsc's People

Contributors

Stargazers

Watchers

Forkers

fourth-barryleonard megamorf alexandair travisez13 bobbytreed mcollera kleopatra999 jvheaton regedit32 rdbartram canix1 danyjung67350 icashman kewalaka russelltomkins hackjammer indented-automation danielboth timhaintz mbaleey sblin11b a-min3 davidkuehn johntroony nerdpad datagarbage mmg1 x-guardian johlju digitalarche faisalmasood y11en widepoint-corp jaikarn tieungao88 jasonwbarnett rdean716 shawnhardwick bcwilhite ohsevin knowno rajeevyadav hoppi1804 39delta nathanielshelly eusebyu e703 lutfi-ingram bastardacademic conspiracy98 apariciom

securitypolicydsc's Issues

Request : Expand to wrap around LGPO.exe?

The work here is so close to what I was looking for in managing server security using DSC. Have you looked and thought about expanding the project to wrap around LGPO.exe - https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-release-support-for-mlgpo-and-reg_qword/

Network_security_Configure_encryption_types_allowed_for_Kerberos

I noticed that this SecurityOption does not allow for 'Future encryption types' to be selected.

    "Network_security_Configure_encryption_types_allowed_for_Kerberos" = @{    
        Value   = "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes"
        Section = 'Registry Values'
        Option  = @{
            DES_CBC_CRC  = '4,1'
            DES_CBC_MD5  = '4,2'
            RC4_HMAC_MD5 = '4,4'
            AES128_HMAC_SHA1  = '4,8'
            AES256_HMAC_SHA1  = '4,16'           
        }
    }

But this article from Microsoft explains how to enable that setting.
[(https://blogs.technet.microsoft.com/petergu/2013/04/14/interpreting-the-supportedencryptiontypes-registry-key/)]

Any plans to include this setting?

Get-DscConfiguration fails when UserRightAssignment returns a single string for Identity

The following config will cause Get-DscConfiguration to fail:

        UserRightsAssignment test
        {            
            Policy   = 'Deny_log_on_locally'
            Identity = 'Guests'  
            Ensure   = 'Present'
        }

The error would be Get-DscConfiguration : GetConfiguration did not succeed. This is because the parameter $Identity is of type [System.String[]].

This can be fixed in the Get-UserRightPolicy function by casting Identity as an array in the return object:

     [PSObject]@{
        Constant     = $userRightConstant
        FriendlyName = $Name
        Identity     = [array]$userRights[$userRightConstant]
    }

Overwrite Values

Is there a way to have this resource apply exactly what you define in the DSC file? It seems at the moment even when using the "force" flag it still appends to existing values rather than overwriting. For example, trying to set "Bypass Traverse Checking" to what is defined in the MS security baseline, which does not include the everyone group, still results in the everyone group being present.
This seems to run contrary to the belief that a DSC file should represent exactly what the configuration should be on the node.

Basic_USR_Example has ambiguous user domain names

https://github.com/PowerShell/SecurityPolicyDsc/blob/6e3d6d9d71c3866cf11af2581899098494f1c6f7/Examples/Basic_USR_Example.ps1#L14 mentions the 'whlab' domain whereas in line 18 only contoso is used.

"Network_access_Remotely_accessible_registry_paths_and_subpaths" Add multiple paths

I am relatively new to DSC but have found ALOT of my answers here in the DOCS and on the web.

But, one issue has me stumped.
I need to add MULTIPLE paths to the "Security Option" "Network_access_Remotely_accessible_registry_paths_and_subpaths"

I can add one path, and only 1 path, no matter how I try. I have tried setting using the SecurityPolicyDsc resource (many different ways) and also straight up using the Registry Resource, Which fails miserable because an export of the data is hex, but when using DSC to add it back in, it just adds the hex data to the MultiString key...

I am at a loss.
I would prefer to us the SecurityPolicyDSC resource, but will use registry if that is my only way.

If anyone has figured this out, I would greatly appreciate your input!
Thanks!

UserRightsAssignement

Was using this with Azure DSC. Server 2012R2 VM. It worked perfectly, but Azure reported that nothing was compliant even though I reviewed and confirmed the rights had been assigned correctly.

Not sure if there is something at issue with the Resource or Azure, but it was very confusing.

Set-TargetResource fails for array based security option if not already configured

Set-TargetResource will fail to succeed if an array based security option is passed but there is no corresponding value already present in the $currentSecurityOptions dictionary object. Found whilst testing with Kerberos ETypes which isn't configured by default in the OS.

Cannot bind argument to parameter 'ReferenceObject' because it is null.

CategoryInfo : InvalidData: (:) [], CimException

Simply adding another if clause to simply return false if the security option is missing from the $currentSecurityOptions resolves the issue.

Line 1031 of MSFT_SecurityOption.psm1

if ( $desiredSecurityOptionValue -is [array] )
            {
                If ( $currentSecurityOptions[$policy] )
                {
                    $compareResult = Compare-Array -ReferenceObject $currentSecurityOptions[$policy] -DifferenceObject $desiredSecurityOptionValue

                    if ( -not $compareResult )
                    {
                        return $false
                    }
                }
                else 
                { 
                    return $false
                }
            }

Setting User Rights Assignments for builtin Identites

When trying to set User Rights Assignments for built-in and NT Authority Identities on a domain joined computer the account gets prefixed with the domain name during Test-TargetResource. i.e. Contoso\NT Authority\Administrator

"." appears to break SecurityOption

An error is presented when attempting to set the "Network_security_LAN_Manager_authentication_level" SecurityOption to either "Send NTLMv2 response only. Refuse LM" or "Send NTLMv2 response only. Refuse LM & NTLM". All other available values (without the "." character) appear to work correctly, so I believe this is an issue with the "." being stripped out somewhere.

SecurityOptions not applying

I'm receiving the following error when the SecurityOptions Resource in the 2.0.0.0 version of the SecurityPolicyDsc module is used:

Error Message is PowerShell DSC resource MSFT_SecurityOption  failed to execute Set-TargetResource functionality with error message: Failed to update security option Accounts_Rename_guest_account,Audit_Audit_the_use_of_Backup_and_Restore_privilege,Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings,Devices_Allow_undock_without_having_to_log_on,Devices_Allowed_to_format_and_eject_removable_media,Devices_Restrict_CD_ROM_access_to_locally_logged_on_user_only,Devices_Restrict_floppy_access_to_locally_logged_on_user_only,Domain_controller_Allow_server_operators_to_schedule_tasks,Domain_controller_Refuse_machine_account_password_changes,Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always,Interactive_logon_Do_not_display_last_user_name,Interactive_logon_Message_text_for_users_attempting_to_log_on,Interactive_logon_Message_title_for_users_attempting_to_log_on,Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares,Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication,Network_access_Remotely_accessible_registry_paths,Network_access_Remotely_accessible_registry_paths_and_subpaths,Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM,Network_security_Allow_LocalSystem_NULL_session_fallback,Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change,Network_security_LAN_Manager_authentication_level. Refer to %windir%\security\logs\scesrv.log for details.

SCESRV.LOG has the following error:

Error 11: An attempt was made to load a program with an incorrect format.
 	Error converting section Registry Values.

What additional information do you need from me to help resolve this issue?

The SecurityOption portion of my DSC script:

SecurityOption 'SecurityOptions' {
            Name                                                                                                            = 'SecurityOptions'
            Accounts_Administrator_account_status                                                                           = 'Enabled'
            Accounts_Guest_account_status                                                                                   = 'Disabled'
            Accounts_Rename_administrator_account                                                                           = 'ccadmin'
            Accounts_Rename_guest_account                                                                                   = 'interloper'
            Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings = 'Enabled'
            Audit_Audit_the_use_of_Backup_and_Restore_privilege                                                             = 'Enabled'
            Devices_Allow_undock_without_having_to_log_on                                                                   = 'Disabled'
            Devices_Allowed_to_format_and_eject_removable_media                                                             = 'Administrators'
            Devices_Restrict_CD_ROM_access_to_locally_logged_on_user_only                                                   = 'Disabled'
            Devices_Restrict_floppy_access_to_locally_logged_on_user_only                                                   = 'Disabled'
            Domain_controller_Allow_server_operators_to_schedule_tasks                                                      = 'Enabled'
            Domain_controller_Refuse_machine_account_password_changes                                                       = 'Disabled'
            Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always                                              = 'Disabled'
            Interactive_logon_Do_not_display_last_user_name                                                                 = 'Enabled'
            Interactive_logon_Message_text_for_users_attempting_to_log_on                                                   = $LegalNoticeText
            Interactive_logon_Message_title_for_users_attempting_to_log_on                                                  = 'WARNING - Private Computer System'
            Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available                 = '10'
            Network_access_Allow_anonymous_SID_Name_translation                                                             = 'Disabled'
            Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts                                               = 'Enabled'
            Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares                                    = 'Enabled'
            Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication                     = 'Enabled'
            Network_access_Let_Everyone_permissions_apply_to_anonymous_users                                                = 'Disabled'
            Network_access_Named_Pipes_that_can_be_accessed_anonymously                                                     = ([System.String]::Empty)
            Network_access_Remotely_accessible_registry_paths                                                               = ([System.String]::Empty)
            Network_access_Remotely_accessible_registry_paths_and_subpaths                                                  = ([System.String]::Empty)
            Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares                                              = 'Enabled'
            Network_access_Shares_that_can_be_accessed_anonymously                                                          = ([System.String]::Empty)
            Network_access_Sharing_and_security_model_for_local_accounts                                                    = 'Classic - Local users authenticate as themselves'
            Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM                                           = 'Enabled'
            Network_security_Allow_LocalSystem_NULL_session_fallback                                                        = 'Disabled'
            Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change                                    = 'Disabled'
            Network_security_LAN_Manager_authentication_level                                                               = 'Send NTLM responses only'
        }

Set-TargetResource is not working if we change the default values in AccountPolicy DSCResource

Hi Team,

I am trying to update Password policies using AccountPolicy resource. But if i change the default value in the parameter it fails. Example Minimum_Password_Length from 12 to 16 . When the values match the default values in Password Policy my configuration succeeds(Obviously). Please find the configuration below.
WINDOWS SERVER 2012 R2

    Import-DscResource -ModuleName SecurityPolicyDsc

    Node "localhost"
    {
      
        AccountPolicy Account-Policy #ResourceName
        {
            Name = "PasswordPolicies"
            Maximum_Password_Age = 45
            Minimum_Password_Age = 1
            Minimum_Password_Length = 16
            Account_lockout_duration = '600'
            Account_lockout_threshold = '5'
            Password_must_meet_complexity_requirements = 'Enabled'
            Reset_account_lockout_counter_after = '60'
            Store_passwords_using_reversible_encryption = 'Disabled'
        }
    }
    
    }

    CIS-AC-POL -OutputPath c:\dsc\
    Start-DscConfiguration -Path c:\dsc\ -Wait -Force -Verbose -debug

The above configuration fails with the below log.

PS C:\Windows\system32> C:\Users\Administrator\Documents\Account.ps1


    Directory: C:\dsc


Mode                LastWriteTime         Length Name                                                                                        
----                -------------         ------ ----                                                                                        
-a----       11/18/2017   9:21 PM           2584 localhost.mof                                                                               
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalCon
figurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer IP-0A000174 with user sid S-1-5-21-4016039557-2088680779-57283892-500.
VERBOSE: [IP-0A000174]: LCM:  [ Start  Set      ]
VERBOSE: [IP-0A000174]: LCM:  [ Start  Resource ]  [[AccountPolicy]Account-Policy]
VERBOSE: [IP-0A000174]: LCM:  [ Start  Test     ]  [[AccountPolicy]Account-Policy]
VERBOSE: [IP-0A000174]:                            [[AccountPolicy]Account-Policy] Testing AccountPolicy: Maximum_Password_Age
VERBOSE: [IP-0A000174]:                            [[AccountPolicy]Account-Policy] Current policy: 42 Desired policy: 45
VERBOSE: [IP-0A000174]: LCM:  [ End    Test     ]  [[AccountPolicy]Account-Policy]  in 0.3120 seconds.
VERBOSE: [IP-0A000174]: LCM:  [ Start  Set      ]  [[AccountPolicy]Account-Policy]
DEBUG: [IP-0A000174]:                            [[AccountPolicy]Account-Policy] Temp inf C:\Windows\TEMP\SecurityPolicy.inf
VERBOSE: [IP-0A000174]:                            [[AccountPolicy]Account-Policy] Testing AccountPolicy: Maximum_Password_Age
VERBOSE: [IP-0A000174]:                            [[AccountPolicy]Account-Policy] Current policy: 42 Desired policy: 45
VERBOSE: [IP-0A000174]: LCM:  [ End    Set      ]  [[AccountPolicy]Account-Policy]  in 1.6380 seconds.
PowerShell DSC resource MSFT_AccountPolicy  failed to execute Set-TargetResource functionality with error message: Failed to update Account 
Policy Maximum_Password_Age,Minimum_Password_Age,Minimum_Password_Length. Refer to %windir%\security\logs\scesrv.log for details. 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: [IP-0A000174]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.915 seconds```

DSCConfigurationStatus:

```PS C:\Users\Administrator\Documents> $Status.ResourcesNotInDesiredState


ConfigurationName    : CIS-AC-POL
DependsOn            :
ModuleName           : SecurityPolicyDsc
ModuleVersion        : 2.1.0.0
PsDscRunAsCredential :
ResourceId           : [AccountPolicy]Account-Policy
SourceInfo           : C:\Users\Administrator\Documents\Account.ps1::7::9::AccountPolicy
DurationInSeconds    : 1.544
Error                : {
                           "Exception":  {
                                             "Message":  "PowerShell DSC resource MSFT_AccountPolicy  failed to
                       execute Set-TargetResource functionality with error message: Failed to update Account Policy
                       Maximum_Password_Age. Refer to %windir%\\security\\logs\\scesrv.log for details. ",
                                             "Data":  {

                                                      },
                                             "InnerException":  {
                                                                    "ErrorRecord":  "Failed to update Account Policy
                       Maximum_Password_Age. Refer to %windir%\\security\\logs\\scesrv.log for details.",
                                                                    "WasThrownFromThrowStatement":  true,
                                                                    "Message":  "Failed to update Account Policy
                       Maximum_Password_Age. Refer to %windir%\\security\\logs\\scesrv.log for details.",
                                                                    "Data":
                       "System.Collections.ListDictionaryInternal",
                                                                    "InnerException":
                       "System.Management.Automation.RuntimeException: Failed to update Account Policy
                       Maximum_Password_Age. Refer to %windir%\\security\\logs\\scesrv.log for details.",
                                                                    "TargetSite":
                       "System.Collections.ObjectModel.Collection`1[System.Management.Automation.PSObject]
                       Invoke(System.Collections.IEnumerable)",
                                                                    "StackTrace":  "   at
                       System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)\r\n   at
                       System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean
                       performSyncInvoke)\r\n   at
                       System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace
                       rsToUse, Boolean isSync)\r\n   at
                       System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1
                       input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at
                       System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input,
                       PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at
                       System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings
                       settings)\r\n   at Microsoft.PowerShell.DesiredStateConfiguration.Internal.ResourceProviderAdapt
                       er.ExecuteCommand(PowerShell powerShell, ResourceModuleInfo resInfo, String operationCmd,
                       List`1 acceptedProperties, CimInstance nonResourcePropeties, CimInstance resourceConfiguration,
                       LCMDebugMode debugMode, PSInvocationSettings pSInvocationSettings, UInt32\u0026
                       resultStatusHandle, Collection`1\u0026 result, ErrorRecord\u0026 errorRecord, PSModuleInfo
                       localRunSpaceModuleInfo)",
                                                                    "HelpLink":  null,
                                                                    "Source":  "System.Management.Automation",
                                                                    "HResult":  -2146233087
                                                                },
                                             "TargetSite":  null,
                                             "StackTrace":  null,
                                             "HelpLink":  null,
                                             "Source":  null,
                                             "HResult":  -2146233079
                                         },
                           "TargetObject":  null,
                           "CategoryInfo":  {
                                                "Category":  7,
                                                "Activity":  "",
                                                "Reason":  "InvalidOperationException",
                                                "TargetName":  "",
                                                "TargetType":  ""
                                            },
                           "FullyQualifiedErrorId":  "ProviderOperationExecutionFailure",
                           "ErrorDetails":  null,
                           "InvocationInfo":  null,
                           "ScriptStackTrace":  null,
                           "PipelineIterationInfo":  [

                                                     ]
                       }
FinalState           :
InDesiredState       : False
InitialState         :
InstanceName         : Account-Policy
RebootRequested      : False
ResourceName         : AccountPolicy
StartDate            : 11/18/2017 9:35:45 PM
PSComputerName       :

Invoke-Secedit issue

If the path passed to invoke-secedit contains special characters ('{' or '}' specifically), the secedit command fails.

To fix, $userRightsToAddInf should be surrounded by escaped quotes (or something similar) - Line 89 of SecurityPolicyResourceHelper.psm1.

Request : SecurityTemplate include FileHash parameter

From a security point of view, how do I know the file that is being imported is not modified.
A filehash check would be a nice addition to this great module.

For example run get-filehash against "C:\scratch\SecurityPolicyBackup.inf". And include the Hash result in the resource.

Configuration

CompareInfs
{
Import-DscResource -ModuleName SecurityPolicyDsc

node localhost
{
    SecurityTemplate TrustedCredentialAccess
    {
        Path = "C:\scratch\SecurityPolicyBackup.inf"
        IsSingleInstance = 'Yes'
    FileHash = '9A7C892496CFAA5CF8CC2BDDCC255E15CEDF95997F87FF8913E5DB7EB17A006B'
    }
}

}

CompareInfs -OutputPath C:\DSC
Start-DscConfiguration -Path C:\DSC -Wait -Verbose -Force

Anyway to not overwrite the current values?

Can we add the option to not remove the current settings when adding new identities for UserRightsAssignment

Account Policy errors

The following settings in AccountPolicy seem to be defined by the Default Domain GPO policy already, so you get an error when you try to define them in DSC on a domain connected computer. Perhaps this should mentioned somehow in an example for clarification?

Enforce_user_logon_restrictions
Maximum_lifetime_for_service_ticket
Maximum_lifetime_for_user_ticket
Maximum_lifetime_for_user_ticket_renewal
Maximum_tolerance_for_computer_clock_synchronization

SecurityTemplate bug

There is a potential issue within the DSCResource "SecurityTemplate" -

In the function "ConvertTo-LocalFriendlyName" found in SecurityPolicyResourceHelper.psm1.
Line 165 of SecurityPolicyResourceHelper.psm1 says:
"if ($null -ne $id -and $id -match 'S-')"

There are Security settings that can match this statement but not be a System.Security.Principal.SecurityIdentifier. A good example of this is the logon banner - Registry key 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'. If The logon Banner contains S-, the script tries (and fails) to convert it.

MSFT_SecurityOption: Spelling error in MSFT_SecurityOption.psm1

Details of the scenario you tried and the problem that is occurring

The ValidateSet in the Parameter for User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users has a misspelling of "Prompt for credentials" as it says "Prompt for crendentials"

Verbose logs showing the problem

SecurityPolicyDsc\SecurityOption : At least one of the values 'Prompt for credentials' is not supported or valid for property 'User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users' on class 'SecurityOption'. Please specify only supported values: Automatically deny elevation request, Prompt for credentials on the secure desktop, Prompt for crendentials.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users

Version of the DSC module that was used ('dev' if using current dev branch)

2.5.0.0

SmbServerNameHardeningLevel policy does not apply

Due to an empty space at the end of the string on this line:

https://github.com/PowerShell/SecurityPolicyDsc/blob/68ffb4a9e9f5e7d2834f4d0cedad0e878bca938d/DSCResources/MSFT_SecurityOption/SecurityOptionData.psd1#L412

throws:

VERBOSE: [VAGRANT]: LCM:  [ End    Set      ]  [[SecurityOption]NetworkSecurityOptions]  in 1.8370 seconds.
PowerShell DSC resource MSFT_SecurityOption  failed to execute Set-TargetResource functionality with error message: Failed to update security option 
Microsoft_network_server_Server_SPN_target_name_validation_level. Refer to %windir%\security\logs\scesrv.log for details. 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: [VAGRANT]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

SecuritySetting Get-IniContent returning untrimmed values

When the DSC Resource is testing the ini file values, the values are being returned with a space in front of them causing the test to fail.

PS C:\Program Files\WindowsPowerShell\Modules\SecurityPolicyDsc\1.3.0.0\DSCResources\MSFT_SecuritySetting> $ini['System Access']['ResetLockoutCount']
 15

PS C:\Program Files\WindowsPowerShell\Modules\SecurityPolicyDsc\1.3.0.0\DSCResources\MSFT_SecuritySetting> $ini['System Access']['ResetLockoutCount'] -eq 15
False

Spelling Error in AccountPolicy resource

I know it's a minor change with a major impact to anyone using version 2.0.0.0, but can the spelling for 'Enfore_user_logon_restrictions' be corrected to 'Enforce_user_login_restrictions'?

UserRightsAssignment: Multiple resources defining same policy in a single configuration not possible

Details of the scenario you tried and the problem that is occurring

The UserAssignmentResource cannot be used multple times in the same configuration to set the same policy. In a single configuration, this is not useful, in a scenario where composite / partial configurations are used though, being able to use the resource in multiple partial configurations is very useful.

Verbose logs showing the problem

Error generated while compiling the configuration:

Test-ConflictingResources : A conflict was detected between resources '[UserRightsAssignment]LogonAsService1 (::7::9::UserRightsAssignment)' and '[UserRightsAssignment]LogonAsService2 (::14::9::UserRightsAssignment)' in
node 'localhost'. Resources have identical key properties but there are differences in the following non-key properties: 'Identity'. Values 'System.Object[]' don't match values 'System.Object[]'. Please update these
property values so that they are identical in both cases.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration LogonAsService {

    Import-DscResource -ModuleName @{ModuleName = 'SecurityPolicyDsc'; ModuleVersion = '2.5.0.0'}

    Node localhost
    {
        UserRightsAssignment 'LogonAsService1'
        {
            Policy = 'Log_on_as_a_service'
            Identity = @('Account1')
            Ensure = 'Present'
        }

        UserRightsAssignment 'LogonAsService2'
        {
            Policy = 'Log_on_as_a_service'
            Identity = @('Account2', 'Account3')
            Ensure = 'Present'
        }
    }
}

LogonAsService

The operating system the target node is running

Happens on any OS.

Version and build of PowerShell the target node is running

5.1

Version of the DSC module that was used ('dev' if using current dev branch)

2.5.0.0

I'm happy to create the PR if we agree this is a good way forward.

Comments cause Index operation failed; the array index evaluated to null.

I have a template that has a comment section up the top that is as follows:

;This Security Template provides settings to support the setting recommendations 
;in the security guides. Please read the entire contents of the appropriate
;security guide before using this template.

;Copyright (c) 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility.  By using or providing feedback on this documentation, you agree to the license agreement below.
;If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
;This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".  Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user��s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.  
;Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation.  Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.
;Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.   
;Microsoft and the Microsoft product names listed in this data file are trademarks of the Microsoft group of companies; the list of Microsoft trademarks can be found at http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx
;The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
;You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose.  You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.  You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.

The commend block causes a large number of the following error:

Index operation failed; the array index evaluated to null.
At C:\Program Files\WindowsPowerShell\Modules\SecurityPolicyDsc\2.1.0.0\DSCResources\SecurityPolicyResourceHelper\Secur
ityPolicyResourceHelper.psm1:155 char:13
+             $policyConfiguration[$section][$name] = $value
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArrayIndex

Unresolved SIDs in unmanaged user rights cause a failure

I've noticed that if we have unresolved SIDs in user rights that we are not trying to manage with DSC, the DSC code will still fail. Is it possible to make the code only attempt to resolve the members of the specific user right that is being configuration managed to avoid this issue?

Network access: Restrict clients allowed to make remote calls to SAM is not included in module

"Network access: Restrict clients allowed to make remote calls to SAM"
Is not included in the SecurityPolicyDSC module (as far as I can tell)

Reference docs:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

https://www.stigviewer.com/stig/windows_10/2017-04-28/finding/V-71769

UserRightsAssignment: A resource conflict occurs when trying to remove and add Identities in the same configuration

Details of the scenario you tried and the problem that is occurring

A resource conflict occurs when trying to remove and add Identities in the same configuration

Verbose logs showing the problem

Test-ConflictingResources : A conflict was detected between resources '[UserRightsAssignment]LogOnAsService
(C:\Users\Administrator\Documents\TestLogonAsService.ps1::7::9::UserRightsAssignment)' and '[UserRightsAssignment]LogOnAsService1
(C:\Users\Administrator\Documents\TestLogonAsService.ps1::14::9::UserRightsAssignment)' in node 'localhost'. Resources have identical key properties but there are differences in
the following non-key properties: 'Ensure;Identity'. Values 'Present;User1' don't match values 'Absent;User2'. Please update these property values so that they are identical in
both cases.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

configuration testLogonAsService
{
    Import-DscResource -ModuleName SecurityPolicyDsc

    node localhost
    {
        UserRightsAssignment LogOnAsService
        {
            Ensure = 'Present'
            Policy = 'Log_on_as_a_service'
            Identity = 'User1'
        }
        UserRightsAssignment LogOnAsService1
        {
            Ensure = 'Absent'
            Policy = 'Log_on_as_a_service'
            Identity = 'User2'
        }
    }
}
testLogonAsService

The operating system the target node is running

OsName : Microsoft Windows Server 2012 R2 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 9600.18505.amd64fre.winblue_ltsb.160930-0600
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

5.1

Version of the DSC module that was used ('dev' if using current dev branch)

2.8.0.0

Update LICENSE file to match the Microsoft Open Source Team standard.

In new repositories that are created by the Microsoft Open Source Team, the LICENSE file does not contain the year in the copyright "header".

LICENSE file should be as below, indentation included.

    MIT License

    Copyright (c) Microsoft Corporation. All rights reserved.

    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
    in the Software without restriction, including without limitation the rights
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    SOFTWARE

User Rights Assignment not honoring Force parameter

When I updated SecurityPolicyDsc from 1.5.0.0 to 2.0.0.0, the User Rights Assignments in my DSC script began to overwrite the existing User Rights, even though the Force parameter is not specified.

Was there a change in the new module where the UserRightsAssignment assumes it's being forced by default? Also, what additional information do you need from me to assist in troubleshooting?

My User Rights Assignments in my DSC script are below:

UserRightsAssignment Access_this_computer_from_the_network {
            Identity = '*S-1-5-32-551', '*S-1-5-32-544', '*S-1-5-11'
            Policy   = 'Access_this_computer_from_the_network'
            Ensure   = 'Present'
        }
        UserRightsAssignment Adjust_memory_quotas_for_a_process {
            Identity = '*S-1-5-32-544', '*S-1-5-20', '*S-1-5-19'
            Policy   = 'Adjust_memory_quotas_for_a_process'
            Ensure   = 'Present'
        }
        UserRightsAssignment Allow_log_on_locally {
            Identity = '*S-1-5-32-551', '*S-1-5-32-547', '*S-1-5-32-544'
            Policy   = 'Allow_log_on_locally'
            Ensure   = 'Present'
        }
        UserRightsAssignment Allow_log_on_through_Remote_Desktop_Services {
            Identity = '*S-1-5-32-555', '*S-1-5-32-544'
            Policy   = 'Allow_log_on_through_Remote_Desktop_Services'
            Ensure   = 'Present'
        }
        UserRightsAssignment Back_up_files_and_directories {
            Identity = '*S-1-5-32-551', '*S-1-5-32-544'
            Policy   = 'Back_up_files_and_directories'
            Ensure   = 'Present'
        }
        UserRightsAssignment Bypass_traverse_checking {
            Identity = '*S-1-5-32-551', '*S-1-5-32-545', '*S-1-5-32-544', '*S-1-5-20', '*S-1-5-19', '*S-1-1-0'
            Policy   = 'Bypass_traverse_checking'
            Ensure   = 'Present'
        }
        UserRightsAssignment Change_the_system_time {
            Identity = '*S-1-5-32-544', '*S-1-5-19'
            Policy   = 'Change_the_system_time'
            Ensure   = 'Present'
        }
        UserRightsAssignment Change_the_time_zone {
            Identity = '*S-1-5-32-544', '*S-1-5-19'
            Policy   = 'Change_the_time_zone'
            Ensure   = 'Present'
        }
        UserRightsAssignment Create_a_pagefile {
            Identity = '*S-1-5-32-544'
            Policy   = 'Create_a_pagefile'
            Ensure   = 'Present'
        }
        UserRightsAssignment Create_global_objects {
            Identity = '*S-1-5-6', '*S-1-5-32-544', '*S-1-5-20', '*S-1-5-19'
            Policy   = 'Create_global_objects'
            Ensure   = 'Present'
        }
        UserRightsAssignment Create_symbolic_links {
            Identity = '*S-1-5-32-544'
            Policy   = 'Create_symbolic_links'
            Ensure   = 'Present'
        }
        UserRightsAssignment Debug_programs {
            Identity = '*S-1-5-32-544'
            Policy   = 'Debug_programs'
            Ensure   = 'Present'
        }
        UserRightsAssignment Deny_access_to_this_computer_from_the_network {
            Identity = '*S-1-5-7'
            Policy   = 'Deny_access_to_this_computer_from_the_network'
            Ensure   = 'Present'
        }
        UserRightsAssignment Deny_log_on_through_Remote_Desktop_Services {
            Identity = '*S-1-5-32-546'
            Policy   = 'Deny_log_on_through_Remote_Desktop_Services'
            Ensure   = 'Present'
        }
        UserRightsAssignment Force_shutdown_from_a_remote_system {
            Identity = '*S-1-5-32-544'
            Policy   = 'Force_shutdown_from_a_remote_system'
            Ensure   = 'Present'
        }
        UserRightsAssignment Generate_security_audits {
            Identity = '*S-1-5-20', '*S-1-5-19'
            Policy   = 'Generate_security_audits'
            Ensure   = 'Present'
        }
        UserRightsAssignment Impersonate_a_client_after_authentication {
            Identity = '*S-1-5-6', '*S-1-5-32-544', '*S-1-5-20', '*S-1-5-19'
            Policy   = 'Impersonate_a_client_after_authentication'
            Ensure   = 'Present'
        }
        UserRightsAssignment Increase_a_process_working_set {
            Identity = '*S-1-5-32-545'
            Policy   = 'Increase_a_process_working_set'
            Ensure   = 'Present'
        }
        UserRightsAssignment Increase_scheduling_priority {
            Identity = '*S-1-5-32-544'
            Policy   = 'Increase_scheduling_priority'
            Ensure   = 'Present'
        }
        UserRightsAssignment Load_and_unload_device_drivers {
            Identity = '*S-1-5-32-544'
            Policy   = 'Load_and_unload_device_drivers'
            Ensure   = 'Present'
        }
        UserRightsAssignment Log_on_as_a_batch_job {
            Identity = '*S-1-5-32-559', '*S-1-5-32-551', '*S-1-5-32-544'
            Policy   = 'Log_on_as_a_batch_job'
            Ensure   = 'Present'
        }
        UserRightsAssignment Log_on_as_a_service {
            Identity = '*S-1-5-80-0'
            Policy   = 'Log_on_as_a_service'
            Ensure   = 'Present'
        }
        UserRightsAssignment Manage_auditing_and_security_log {
            Identity = '*S-1-5-32-544'
            Policy   = 'Manage_auditing_and_security_log'
            Ensure   = 'Present'
        }
        UserRightsAssignment Modify_firmware_environment_values {
            Identity = '*S-1-5-32-544'
            Policy   = 'Modify_firmware_environment_values'
            Ensure   = 'Present'
        }
        UserRightsAssignment Perform_volume_maintenance_tasks {
            Identity = '*S-1-5-32-544'
            Policy   = 'Perform_volume_maintenance_tasks'
            Ensure   = 'Present'
        }
        UserRightsAssignment Profile_single_process {
            Identity = '*S-1-5-32-544'
            Policy   = 'Profile_single_process'
            Ensure   = 'Present'
        }
        UserRightsAssignment Profile_system_performance {
            Identity = '*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420', '*S-1-5-32-544'
            Policy   = 'Profile_system_performance'
            Ensure   = 'Present'
        }
        UserRightsAssignment Remove_computer_from_docking_station {
            Identity = '*S-1-5-32-544'
            Policy   = 'Remove_computer_from_docking_station'
            Ensure   = 'Present'
        }
        UserRightsAssignment Replace_a_process_level_token {
            Identity = '*S-1-5-20', '*S-1-5-19'
            Policy   = 'Replace_a_process_level_token'
            Ensure   = 'Present'
        }
        UserRightsAssignment Restore_files_and_directories {
            Identity = '*S-1-5-32-551', '*S-1-5-32-544'
            Policy   = 'Restore_files_and_directories'
            Ensure   = 'Present'
        }
        UserRightsAssignment Shut_down_the_system {
            Identity = '*S-1-5-32-551', '*S-1-5-32-544'
            Policy   = 'Shut_down_the_system'
            Ensure   = 'Present'
        }
        UserRightsAssignment Take_ownership_of_files_or_other_objects {
            Identity = '*S-1-5-32-544'
            Policy   = 'Take_ownership_of_files_or_other_objects'
            Ensure   = 'Present'
        }

UserRightAssigment Bug

in the file MSFT_UserRightsAssignment.psm1

the line 471
$currentUserRights = ([System.IO.Path]::GetTempFileName()).Replace('tmp','inf')

after some time, The resources use all the "inf" filenames disponible and the resource fails.

My workaround has been to always use the same filename.

ConvertTo-LocalFriendlyName incorrectly handles user or group names containing 'S-'

User or group accounts that contain S- in their name are incorrectly treated as a SID and translated.

Translation fails with a warning similar to the following.

WARNING: Error processing user-s-1. Error message: Cannot convert value "user-s-1" to type "System.Security.Principal.SecurityIdentifier". Error: "Value was invalid.

The issue occurs because the regular expression ($null -ne $id -and $id -match 'S-') matches any part of the string, instead of the beginning.

User Rights Assignment throwing secedit.exe error

Having an issue when trying to set the following with UserRightsAssignement...

    UserRightsAssignment LockPagesInMemory 
    {
            Policy = "Lock_pages_in_memory"
            Identity = "sqlservice"
    }

errors out with the following:

The term 'secedit.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
+ CategoryInfo : ObjectNotFound: (secedit.exe:) [], CimException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : pc-new

Cannot find path 'C:\Windows\TEMP\SecurityPolicy.inf' because it does not exist.
+ CategoryInfo : ObjectNotFound: (C:\Windows\TEMP\SecurityPolicy.inf:) [], CimException
+ FullyQualifiedErrorId : PathNotFound
+ PSComputerName : pc-new

I'm on the latest build - 2.7.0.0

Import from Azure Automation Gallery Missing resources

Imported the latest version (2.1.0.0) of the resource from the gallery which displays all of the resources but once imported under the Automation account only AccountPolicy is displayed.

SecInf Test-TargetResource can return value other than true

https://github.com/jcwalker/SeceditDsc/blob/dev/DSCResources/MSFT_SecInf/MSFT_SecInf.psm1#L100
https://github.com/jcwalker/SeceditDsc/blob/dev/DSCResources/Library/Helper.psm1#L211
Ralph Kyttle reported the following issue to me on WS2016, and I think it's in the above lines of code - the output of secedit.exe can return a value which PS treats as a return in the function. Piping to out-null should fix this, like I did here: https://github.com/zjalexander/AuditPolicyDsc/blob/master/DSCResources/Helper.psm1#L385

PS C:\Program Files\DSC-EA\Output> Test-DscConfiguration -ComputerName DSCTEST10 -ReferenceConfiguration 'C:\Program Files\DSC-EA\localhost.mof'
WARNING: [DSCTEST10]:                            [[SecInf]SecurityTemplate] Cannot bind argument t
o parameter 'ReferenceObject' because it is null.
The PowerShell DSC resource C:\Program 
Files\WindowsPowerShell\Modules\SeceditDSC\DscResources\MSFT_SecInf returned results in a format 
that is not valid. The results from running Test-TargetResource must be the boolean value True 
or False.
    + CategoryInfo          : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimE 
   xception
    + FullyQualifiedErrorId : TestTargetResourceInvalidResultFormat
    + PSComputerName        : DSCTEST10

UserRightsAssignment : SendConfigurationApply function did not succeed.

The following is error is thrown adding when adding a domain group to Perform Volume Maintenance user rights assignment.

The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : XXXXXXXXX

The local configuration manager on the target node shows the following error...

[[UserRightsAssignment]PerformVolumeMaintenanceTasks] Error processing S-1-5-80-2242208429-2985175502-2274617606-174877781-2598220866. Error message: Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated.""},
{"time": "2017-12-20T08:35:46.983-7:00", "type": "verbose", "message": "[XXXXXXXXX]:

The domain group is added, so I am not sure why the error is being thrown.

Here is the code DSC code...

        UserRightsAssignment ($Node.NodeName + "PerformVolumeMaintenanceTasks")
        {
            Policy = "Perform_volume_maintenance_tasks"
            Identity = "DOMAIN\DOMAINGROUP"
            DependsOn = ("[SqlSetup]" + $Node.NodeName)
        }

Any help appreciated.

False negative on UserRightsAssignment

 UserRightsAssignment LogOnAsABatchJobRights
        {
            Policy    = "Log_on_as_a_batch_job"
            Identity  = "$($env:COMPUTERNAME)\$($Creds.UserName)","Builtin\Administrators","Builtin\Backup Operators","Builtin\Performance Log Users"
            DependsOn = "[User]logicmon"
        }

DSC reports:
PowerShell DSC resource MSFT_UserRightsAssignment failed to execute Set-TargetResource functionality with error message: Task did not complete successfully. See log %windir%\\\\security\\\\logs\\\\scesrv.log for detail info. The SendConfigurationApply function did not succeed.

However the rights assignment did complete successfully. scesrv.log shows only successes and the intended change completed successfully.

scesrv.txt

AccountPolicy typo

Issue #81 mentions that kerberos policies will only apply against a DC.

This won't work at the moment regardless, because of this line:

https://github.com/PowerShell/SecurityPolicyDsc/blob/68ffb4a9e9f5e7d2834f4d0cedad0e878bca938d/DSCResources/MSFT_AccountPolicy/MSFT_AccountPolicy.psm1#L193

..which should be:

 $infTemplate = Add-PolicyOption -SystemAccessPolicies $systemAccessPolicies -KerberosPolicies $kerberosPolicies

Translate in ConvertTo-LocalFriendlyName fails when it cannot translate a SID and causes Test-TargetResource to fail

Many older images or servers have abandoned SIDs that cannot be translated. When one is found an exception is thrown by translate causing the resource to fail even when actually setting the correct policy.

DomainControllerSecurityOptions

If nobody has started working on something simular I would like to add a DomainControllerSecurityOptions resource to configure the Domain Controller: marked settings within Local Policies > Security Options of the Local Security Policy.

My approach would be to provide named properties as a IsSingleInstance resource to each setting, and use a ValidateSet for each option to provide mapping to experience exposed in the Local Security Policy UI.

SmbServerNameHardeningLevel policy has incorrect value

SmbServerNameHardeningLevel policy has incorrect value which causes get-dscconfiguration to report NULL. This causes failure in Azure DSC. The value is set correctly in the Security Policy.

The setting “Accept if provided by the client” should be “Accept if provided by client” (no 'the').
The other two values "Off" and "Required from client" set and report correctly and do not fail in Azure DSC.

Help required with DSC configs

We have below DSC configurations:

UserRightsAssignment EnsureChangeTheSystemTimeIsConfigured
{

       Policy   = "Change_the_system_time"

       Identity = "Administrators", "Server Operators", "LOCAL SERVICE"

       Force    = $true

    }

UserRightsAssignment EnsureGenerateSecurityAuditsIsSetToLOCALSERVICENETWORKSERVICE
    {

       Policy   = "Generate_security_audits"

       Identity = "Local Service", "Network Service", "IIS APPPOOL\\DefaultAppPool"

       Force    = $true

    }

we are getting below error. Can you please help with error please

{
"Exception": {
"Message": "PowerShell DSC resource MSFT_UserRightsAssignment failed to execute Test-TargetResource functionality with error message: Could not convert Identity: Server Operators to SID ",
"Data": {

                           },
                  "InnerException":  {
                                         "ErrorRecord":  "Could not convert Identity: Server Operators to SID",
                                         "WasThrownFromThrowStatement":  true,
                                         "Message":  "Could not convert Identity: Server Operators to SID",
                                         "Data":  "System.Collections.ListDictionaryInternal",
                                         "InnerException":  "System.Management.Automation.RuntimeException: Could not convert Identity: Server Operators to SID",
                                         "TargetSite":  "System.Collections.ObjectModel.Collection`1[System.Management.Automation.PSObject] Invoke(System.Collections.IEnumerable)",
                                         "StackTrace":  "   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)\r\n   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)\r\n   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)\r\n   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)\r\n   at Microsoft.PowerShell.DesiredStateConfiguration.Internal.ResourceProviderAdapter.ExecuteCommand(PowerShell powerShell, ResourceModuleInfo resInfo, String operationCmd, List`1 acceptedProperties, CimInstance nonResourcePropeties, CimInstance resourceConfiguration, LCMDebugMode debugMode, PSInvocationSettings pSInvocationSettings, UInt32\u0026 resultStatusHandle, Collection`1\u0026 result, ErrorRecord\u0026 errorRecord, PSModuleInfo localRunSpaceModuleInfo)",
                                         "HelpLink":  null,
                                         "Source":  "System.Management.Automation",
                                         "HResult":  -2146233087
                                     },
                  "TargetSite":  null,
                  "StackTrace":  null,
                  "HelpLink":  null,
                  "Source":  null,
                  "HResult":  -2146233079
              },
"TargetObject":  null,
"CategoryInfo":  {
                     "Category":  7,
                     "Activity":  "",
                     "Reason":  "InvalidOperationException",
                     "TargetName":  "",
                     "TargetType":  ""
                 },
"FullyQualifiedErrorId":  "ProviderOperationExecutionFailure",
"ErrorDetails":  null,
"InvocationInfo":  null,
"ScriptStackTrace":  null,
"PipelineIterationInfo":  [

                          ]

}

SecurityTemplate not Nano-compatible

Test-TargetResource for the SecurityTemplate resource calls Get-UserRightsAssignment which calls ConvertTo-LocalFriendlyName which finally calls Get-WmiObject, which is not present on Nano Server (https://technet.microsoft.com/en-us/windows-server-docs/get-started/powershell-on-nano-server)

This means the scenario, "apply security baseline settings to Nano Server" can't run on Nano Server.

Facing issue in DSC script for xSQLServerDatabase resource compiling in Azure under Automation (DSC Configuration)

Error:
Exception calling "NewScriptBlock" with "1" argument(s): "At line:5 char:1

Import-DscResource -ModuleName xSQLServerDatabase

At line:11 char:6

xSQLServerDatabase Create_Database
Import-DscResource -ModuleName xSQLServerDatabase

At line:11 char:6

xSQLServerDatabase Create_Database

Exception when No Administrator account

Apparently due to a back and forth debate over how ForEach processes $null, there is an issue when no local administrator group is returned.

The following code needs to be in an if statement like so.:
if ($users -ne $null)
{
$accounts += $users | ForEach-Object {(Get-CimInstance win32_useraccount -Filter "Caption='$($_.Replace("", "\"))'").SID}
}

I will fix this and submit a pull request.

Define acceptable values

Many of the policy settings have Parameters that simply just accept [string], so as the user of this module I'm not sure what I should be putting in as the string to Enable/Disable a setting.

Can't get any SecuritySetting to function

I am probably being thick but on a Windows Server 2012 host (I have not tested on 2016 yet) I just cannot get any of the SecuritySetting resources to work. For example, I run the below to set the MaximumPasswordAge to 100 and it just does not set. When I run Get-DSCResource it still shows the old value and creates a new Name = MaximumPasswordAge in the results?

Any idea where I am going wrong..? I am using the latest version 1.4.0.0 that got updated last night I believe.

Bit of code:

Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
    Import-DscResource –ModuleName 'SecurityPolicyDsc'
    Import-DscResource -ModuleName 'AuditPolicyDsc'

    Node $Nodename {

            SecuritySetting MaximumPasswordAge
            {
                Name = "MaximumPasswordAge"
                MaximumPasswordAge = "100"
            }

When running:

PS D:\> Start-DscConfiguration -Path D:\SecurityTemplateTest -Wait -Verbose -Force
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer LONINENGD187 with user sid S-1-5-21-1606980848-1965331169-1417001333-2849811.
VERBOSE: [LONINENGD187]: LCM:  [ Start  Set      ]
VERBOSE: [LONINENGD187]: LCM:  [ Start  Resource ]  [[SecuritySetting]MaximumPasswordAge]
VERBOSE: [LONINENGD187]: LCM:  [ Start  Test     ]  [[SecuritySetting]MaximumPasswordAge]
VERBOSE: [LONINENGD187]:                            [[SecuritySetting]MaximumPasswordAge] Creating Temp file at path: C:\Windows\security\database\temppol.inf
VERBOSE: [LONINENGD187]: LCM:  [ End    Test     ]  [[SecuritySetting]MaximumPasswordAge]  in 0.2030 seconds.
VERBOSE: [LONINENGD187]: LCM:  [ Start  Set      ]  [[SecuritySetting]MaximumPasswordAge]
VERBOSE: [LONINENGD187]:                            [[SecuritySetting]MaximumPasswordAge] Creating Temp file at path: C:\Windows\security\database\temppol.inf
VERBOSE: [LONINENGD187]:                            [[SecuritySetting]MaximumPasswordAge] Creating Temp file at path: C:\Windows\security\database\temppol.inf
VERBOSE: [LONINENGD187]:                            [[SecuritySetting]MaximumPasswordAge] Creating Temp file at path: C:\Windows\security\database\tmpsecedit.sdb
VERBOSE: [LONINENGD187]: LCM:  [ End    Set      ]  [[SecuritySetting]MaximumPasswordAge]  in 0.2180 seconds.
VERBOSE: [LONINENGD187]: LCM:  [ End    Resource ]  [[SecuritySetting]MaximumPasswordAge]
VERBOSE: [LONINENGD187]: LCM:  [ End    Set      ]
VERBOSE: [LONINENGD187]: LCM:  [ End    Set      ]    in  1.1250 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.871 seconds

Doing a Get-DscConfiguration:

ConfigurationName         : SecurityTemplateTest
DependsOn                 :
ModuleName                : SecurityPolicyDsc
ModuleVersion             : 1.4.0.0
PsDscRunAsCredential      :
ResourceId                : [SecuritySetting]MaximumPasswordAge
SourceInfo                :
ClearTextPassword         : 0
EnableAdminAccount        : 1
EnableGuestAccount        : 0
Ensure                    :
ForceLogoffWhenHourExpire : 1
LockoutBadCount           : 5
LockoutDuration           : 15
LSAAnonymousNameLookup    : 0
MaxClockSkew              :
MaximumPasswordAge        : 90
MaxRenewAge               :
MaxServiceAge             :
MaxTicketAge              :
MinimumPasswordAge        : 0
MinimumPasswordLength     : 8
Name                      : MaximumPasswordAge
NewAdministratorName      : "Admin"
NewGuestName              : "            gst"
PasswordComplexity        : 1
PasswordHistorySize       : 12
ResetLockoutCount         : 15
TicketValidateClient      :
PSComputerName            :
CimClassName              : MSFT_SecuritySetting

Finally doing a Test-DSCConfiguration:

PS D:\> Test-DscConfiguration
False

Test-TargetResource UserRightsAssignment never passes

The set-targetresource works but re-running the configuration the resource continuously shows as not in desired state if adding a domain account.

How to properly handle SID translation failures

I would like to get feedback from the community on the best way to handle SID translation exceptions. Currently the resource will throw an exception if a SID cannot be translated. There have been requests/suggestions that this behavior should be changed to silently handle the exception and have Test-TargetResource return false. In both cases the configuration will need to be updated. The way the resource currently works makes it obvious a correction needs to be made. If the resource is changed to silently handle the exception and return false the administrator will not know anything is wrong until they validate the configuration was successful. Is there anything else that I'm missing here? What are your thoughts?

"Path" parameter fails

Repro:
This file comes from the WS2016 security baselines https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/ (specifically the 2016 member server computer baseline)
audit.zip

VERBOSE: [ZACHAL-DSCTEST]: [[SecurityTemplate]baselineInf] Policy: SeTrustedCredManAccessPrivilege not in a desired state.
Cannot bind argument to parameter 'Path' because it is null.
    + CategoryInfo          : InvalidData: (:) [], CimException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M 
   icrosoft.PowerShell.Commands.GetContentCommand
    + PSComputerName        : localhost

when executing on WS2016 Server Desktop + Nano Server

how to export security policy to a file and restore from it?

https://blogs.msdn.microsoft.com/powershell/2017/02/21/managing-security-settings-on-nano-server-with-dsc/

after read above article, there are two AuditPolicyDsc, SecurityPolicyDSC

but gpedit has only one, i am little confused, are audit policy and security policy are two different setting?

how to export security policy to a file and restore from it?

if export to a file, check the exported file to check whether policy applied or use SecurityPolicyDSC to validate the policy whether is applied?

[SecurityOption] Error in "Accounts_Block_Microsoft_accounts"

Issue

Error occurred when try to configure Accounts_Block_Microsoft_accounts in SecurityOption resource.

Step to reproduce

Run script below.

Configuration SecurityOptions
{
    Import-DscResource -ModuleName SecurityPolicyDsc  -ModuleVersion '2.0.0.0'
    node localhost
    {
        SecurityOption SecurityOptions
        {
            Name = 'SecurityOptions'
            Accounts_Block_Microsoft_accounts = "Users cant add or log on with Microsoft accounts"
        }
    }
}

SecurityOptions -OutputPath c:\dsc 
Start-DscConfiguration -Path c:\dsc -Wait -Force -Verbose

Then, error occurred.

VERBOSE: [DESKTOP-MHVP83I]: LCM:  [ 開始     設定       ]
VERBOSE: [DESKTOP-MHVP83I]: LCM:  [ 開始     リソース     ]  [[SecurityOption]SecurityOptions
]
VERBOSE: [DESKTOP-MHVP83I]: LCM:  [ 開始     テスト      ]  [[SecurityOption]SecurityOptions
]
VERBOSE: [DESKTOP-MHVP83I]:                            [[SecurityOption]SecurityOptions
] Testing SecurityOption: Accounts_Block_Microsoft_accounts
VERBOSE: [DESKTOP-MHVP83I]:                            [[SecurityOption]SecurityOptions
] Current policy: Userscant add or log on with Microsoft accounts Desired policy: Users
 cant add or log on with Microsoft accounts
VERBOSE: [DESKTOP-MHVP83I]: LCM:  [ 終了     テスト      ]  [[SecurityOption]SecurityOptions
]  (0.1880 秒)。
VERBOSE: [DESKTOP-MHVP83I]: LCM:  [ 開始     設定       ]  [[SecurityOption]SecurityOptions
]
VERBOSE: [DESKTOP-MHVP83I]:                            [[SecurityOption]SecurityOptions
] Testing SecurityOption: Accounts_Block_Microsoft_accounts
VERBOSE: [DESKTOP-MHVP83I]:                            [[SecurityOption]SecurityOptions
] Current policy: Userscant add or log on with Microsoft accounts Desired policy: Users
 cant add or log on with Microsoft accounts
VERBOSE: [DESKTOP-MHVP83I]: LCM:  [ 終了     設定       ]  [[SecurityOption]SecurityOptions
]  (1.3970 秒)。
PowerShell DSC リソース MSFT_SecurityOption は Set-TargetResource 機能を実行できませんでした。エラー メッセージ: 
Failed to update security option Accounts_Block_Microsoft_accounts. Refer to 
%windir%\security\logs\scesrv.log for details. 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: [DESKTOP-MHVP83I]: LCM:  [ 終了     設定       ]
SendConfigurationApply 関数が失敗しました。
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String 
   ) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.749 seconds

Cause

As I guess, the cause of this issue is that the strings in the SecurityOptionData.psd and MSFT_SecurityOption.psm1 does not match.

SecurityOptionData.psd of Line 18

"Userscant add or log on with Microsoft accounts" = '4,3'

MSFT_SecurityOption.psm1 of Line 95

[ValidateSet("This policy is disabled", "Users cant add Microsoft accounts", "Users cant add or log on with Microsoft accounts")]

So in SecurityOptionData.psd, There is no space between "Users" and "cant". 😟

dsccommunity / securitypolicydsc Goto Github PK

securitypolicydsc's Introduction

SecurityPolicyDsc

Code of Conduct

Releases

Contributing

Change log

Resources

AccountPolicy

SecurityOption

SecurityTemplate

UserRightsAssignment

securitypolicydsc's People

Contributors

Stargazers

Watchers

Forkers

securitypolicydsc's Issues

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Version of the DSC module that was used ('dev' if using current dev branch)

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used ('dev' if using current dev branch)

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used ('dev' if using current dev branch)

Issue

Step to reproduce

Cause

Recommend Projects

Recommend Topics

Recommend Org