├── .fixtures.yml ├── .gitignore ├── .gitlab-ci.yml ├── .pdkignore ├── .rspec ├── .rubocop.yml ├── .travis.yml ├── .yardopts ├── Gemfile ├── README.md ├── Rakefile ├── appveyor.yml ├── examples └── init.pp ├── files ├── auditDC.csv └── auditMS.csv ├── hiera.yaml ├── manifests ├── configure.pp └── init.pp ├── metadata.json └── spec ├── acceptance ├── harden_spec.rb └── nodesets │ └── windows2008r2.yml ├── classes └── init_spec.rb ├── default_facts.yml ├── spec_helper.rb └── spec_helper_acceptance.rb /.fixtures.yml: -------------------------------------------------------------------------------- 1 | fixtures: 2 | symlinks: 3 | harden_windows_server: "#{source_dir}" 4 | forge_modules: 5 | stdlib: 6 | repo: "puppetlabs/stdlib" 7 | ref: '4.25.1' 8 | local_security_policy: 9 | repo: "ayohrling/local_security_policy" 10 | ref: '0.6.3' 11 | registry: 12 | repo: "puppetlabs/registry" 13 | ref: '2.0.2' 14 | auditpol: 15 | repo: 'autostructure/auditpol' 16 | ref: '1.0.0' 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .git/ 2 | .*.sw[op] 3 | .metadata 4 | .yardoc 5 | .yardwarns 6 | *.iml 7 | /.bundle/ 8 | /.idea/ 9 | /.vagrant/ 10 | /coverage/ 11 | /bin/ 12 | /doc/ 13 | /Gemfile.local 14 | /Gemfile.lock 15 | /junit/ 16 | /log/ 17 | /pkg/ 18 | /spec/fixtures/manifests/ 19 | /spec/fixtures/modules/ 20 | /tmp/ 21 | /vendor/ 22 | /convert_report.txt 23 | /update_report.txt 24 | .DS_Store 25 | -------------------------------------------------------------------------------- /.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | stages: 3 | - syntax 4 | - unit 5 | 6 | cache: 7 | paths: 8 | - vendor/bundle 9 | 10 | before_script: 11 | - bundle -v 12 | - rm Gemfile.lock || true 13 | - gem update --system 14 | - gem --version 15 | - bundle -v 16 | - bundle install --without system_tests --path vendor/bundle --jobs $(nproc) 17 | 18 | parallel_spec-Ruby 2.1.9-Puppet ~> 4.0: 19 | stage: syntax 20 | image: ruby:2.1.9 21 | script: 22 | - bundle exec rake parallel_spec 23 | variables: 24 | PUPPET_GEM_VERSION: '~> 4.0' 25 | 26 | syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop-Ruby 2.4.4-Puppet ~> 5.5: 27 | stage: syntax 28 | image: ruby:2.4.4 29 | script: 30 | - bundle exec rake syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop 31 | variables: 32 | PUPPET_GEM_VERSION: '~> 5.5' 33 | 34 | parallel_spec-Ruby 2.4.4-Puppet ~> 5.5: 35 | stage: syntax 36 | image: ruby:2.4.4 37 | script: 38 | - bundle exec rake parallel_spec 39 | variables: 40 | PUPPET_GEM_VERSION: '~> 5.5' 41 | 42 | -------------------------------------------------------------------------------- /.pdkignore: -------------------------------------------------------------------------------- 1 | .git/ 2 | .*.sw[op] 3 | .metadata 4 | .yardoc 5 | .yardwarns 6 | *.iml 7 | /.bundle/ 8 | /.idea/ 9 | /.vagrant/ 10 | /coverage/ 11 | /bin/ 12 | /doc/ 13 | /Gemfile.local 14 | /Gemfile.lock 15 | /junit/ 16 | /log/ 17 | /pkg/ 18 | /spec/fixtures/manifests/ 19 | /spec/fixtures/modules/ 20 | /tmp/ 21 | /vendor/ 22 | /convert_report.txt 23 | /update_report.txt 24 | .DS_Store 25 | -------------------------------------------------------------------------------- /.rspec: -------------------------------------------------------------------------------- 1 | --color 2 | --format documentation 3 | -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | --- 2 | require: rubocop-rspec 3 | AllCops: 4 | DisplayCopNames: true 5 | TargetRubyVersion: '2.1' 6 | Include: 7 | - "./**/*.rb" 8 | Exclude: 9 | - bin/* 10 | - ".vendor/**/*" 11 | - "**/Gemfile" 12 | - "**/Rakefile" 13 | - pkg/**/* 14 | - spec/fixtures/**/* 15 | - vendor/**/* 16 | - "**/Puppetfile" 17 | - "**/Vagrantfile" 18 | - "**/Guardfile" 19 | Metrics/LineLength: 20 | Description: People have wide screens, use them. 21 | Max: 200 22 | RSpec/BeforeAfterAll: 23 | Description: Beware of using after(:all) as it may cause state to leak between tests. 24 | A necessary evil in acceptance testing. 25 | Exclude: 26 | - spec/acceptance/**/*.rb 27 | RSpec/HookArgument: 28 | Description: Prefer explicit :each argument, matching existing module's style 29 | EnforcedStyle: each 30 | Style/BlockDelimiters: 31 | Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to 32 | be consistent then. 33 | EnforcedStyle: braces_for_chaining 34 | Style/ClassAndModuleChildren: 35 | Description: Compact style reduces the required amount of indentation. 36 | EnforcedStyle: compact 37 | Style/EmptyElse: 38 | Description: Enforce against empty else clauses, but allow `nil` for clarity. 39 | EnforcedStyle: empty 40 | Style/FormatString: 41 | Description: Following the main puppet project's style, prefer the % format format. 42 | EnforcedStyle: percent 43 | Style/FormatStringToken: 44 | Description: Following the main puppet project's style, prefer the simpler template 45 | tokens over annotated ones. 46 | EnforcedStyle: template 47 | Style/Lambda: 48 | Description: Prefer the keyword for easier discoverability. 49 | EnforcedStyle: literal 50 | Style/RegexpLiteral: 51 | Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 52 | EnforcedStyle: percent_r 53 | Style/TernaryParentheses: 54 | Description: Checks for use of parentheses around ternary conditions. Enforce parentheses 55 | on complex expressions for better readability, but seriously consider breaking 56 | it up. 57 | EnforcedStyle: require_parentheses_when_complex 58 | Style/TrailingCommaInArguments: 59 | Description: Prefer always trailing comma on multiline argument lists. This makes 60 | diffs, and re-ordering nicer. 61 | EnforcedStyleForMultiline: comma 62 | Style/TrailingCommaInLiteral: 63 | Description: Prefer always trailing comma on multiline literals. This makes diffs, 64 | and re-ordering nicer. 65 | EnforcedStyleForMultiline: comma 66 | Style/SymbolArray: 67 | Description: Using percent style obscures symbolic intent of array's contents. 68 | EnforcedStyle: brackets 69 | RSpec/MessageSpies: 70 | EnforcedStyle: receive 71 | Style/Documentation: 72 | Exclude: 73 | - lib/puppet/parser/functions/**/* 74 | - spec/**/* 75 | Style/WordArray: 76 | EnforcedStyle: brackets 77 | Style/CollectionMethods: 78 | Enabled: true 79 | Style/MethodCalledOnDoEndBlock: 80 | Enabled: true 81 | Style/StringMethods: 82 | Enabled: true 83 | Layout/EndOfLine: 84 | Enabled: false 85 | Layout/IndentHeredoc: 86 | Enabled: false 87 | Metrics/AbcSize: 88 | Enabled: false 89 | Metrics/BlockLength: 90 | Enabled: false 91 | Metrics/ClassLength: 92 | Enabled: false 93 | Metrics/CyclomaticComplexity: 94 | Enabled: false 95 | Metrics/MethodLength: 96 | Enabled: false 97 | Metrics/ModuleLength: 98 | Enabled: false 99 | Metrics/ParameterLists: 100 | Enabled: false 101 | Metrics/PerceivedComplexity: 102 | Enabled: false 103 | RSpec/DescribeClass: 104 | Enabled: false 105 | RSpec/ExampleLength: 106 | Enabled: false 107 | RSpec/MessageExpectation: 108 | Enabled: false 109 | RSpec/MultipleExpectations: 110 | Enabled: false 111 | RSpec/NestedGroups: 112 | Enabled: false 113 | Style/AsciiComments: 114 | Enabled: false 115 | Style/IfUnlessModifier: 116 | Enabled: false 117 | Style/SymbolProc: 118 | Enabled: false 119 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | sudo: false 3 | dist: trusty 4 | language: ruby 5 | cache: bundler 6 | before_install: 7 | - bundle -v 8 | - rm -f Gemfile.lock 9 | - gem update --system 10 | - gem --version 11 | - bundle -v 12 | script: 13 | - 'bundle exec rake $CHECK' 14 | bundler_args: --without system_tests 15 | rvm: 16 | - 2.4.4 17 | env: 18 | global: 19 | - BEAKER_PUPPET_COLLECTION=puppet5 PUPPET_GEM_VERSION="~> 5.0" 20 | matrix: 21 | fast_finish: true 22 | include: 23 | - 24 | env: CHECK="syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop" 25 | - 26 | env: CHECK=parallel_spec 27 | - 28 | env: PUPPET_GEM_VERSION="~> 4.0" CHECK=parallel_spec 29 | rvm: 2.1.9 30 | branches: 31 | only: 32 | - master 33 | - /^v\d/ 34 | notifications: 35 | email: false 36 | deploy: 37 | provider: puppetforge 38 | user: puppet 39 | password: 40 | secure: "" 41 | on: 42 | tags: true 43 | all_branches: true 44 | condition: "$DEPLOY_TO_FORGE = yes" 45 | -------------------------------------------------------------------------------- /.yardopts: -------------------------------------------------------------------------------- 1 | --markup markdown 2 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source ENV['GEM_SOURCE'] || 'https://rubygems.org' 2 | 3 | def location_for(place_or_version, fake_version = nil) 4 | if place_or_version =~ %r{\A(git[:@][^#]*)#(.*)} 5 | [fake_version, { git: Regexp.last_match(1), branch: Regexp.last_match(2), require: false }].compact 6 | elsif place_or_version =~ %r{\Afile:\/\/(.*)} 7 | ['>= 0', { path: File.expand_path(Regexp.last_match(1)), require: false }] 8 | else 9 | [place_or_version, { require: false }] 10 | end 11 | end 12 | 13 | def gem_type(place_or_version) 14 | if place_or_version =~ %r{\Agit[:@]} 15 | :git 16 | elsif !place_or_version.nil? && place_or_version.start_with?('file:') 17 | :file 18 | else 19 | :gem 20 | end 21 | end 22 | 23 | ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments 24 | minor_version = ruby_version_segments[0..1].join('.') 25 | 26 | group :development do 27 | gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') 28 | gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') 29 | gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') 30 | gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9') 31 | gem "json", '<= 2.0.4', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.4.4') 32 | gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby] 33 | gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby] 34 | gem "puppet-module-win-default-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] 35 | gem "puppet-module-win-dev-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] 36 | end 37 | 38 | puppet_version = ENV['PUPPET_GEM_VERSION'] 39 | puppet_type = gem_type(puppet_version) 40 | facter_version = ENV['FACTER_GEM_VERSION'] 41 | hiera_version = ENV['HIERA_GEM_VERSION'] 42 | 43 | gems = {} 44 | 45 | gems['puppet'] = location_for(puppet_version) 46 | 47 | # If facter or hiera versions have been specified via the environment 48 | # variables 49 | 50 | gems['facter'] = location_for(facter_version) if facter_version 51 | gems['hiera'] = location_for(hiera_version) if hiera_version 52 | 53 | if Gem.win_platform? && puppet_version =~ %r{^(file:///|git://)} 54 | # If we're using a Puppet gem on Windows which handles its own win32-xxx gem 55 | # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445). 56 | gems['win32-dir'] = ['<= 0.4.9', require: false] 57 | gems['win32-eventlog'] = ['<= 0.6.5', require: false] 58 | gems['win32-process'] = ['<= 0.7.5', require: false] 59 | gems['win32-security'] = ['<= 0.2.5', require: false] 60 | gems['win32-service'] = ['0.8.8', require: false] 61 | end 62 | 63 | gems.each do |gem_name, gem_params| 64 | gem gem_name, *gem_params 65 | end 66 | 67 | # Evaluate Gemfile.local and ~/.gemfile if they exist 68 | extra_gemfiles = [ 69 | "#{__FILE__}.local", 70 | File.join(Dir.home, '.gemfile'), 71 | ] 72 | 73 | extra_gemfiles.each do |gemfile| 74 | if File.file?(gemfile) && File.readable?(gemfile) 75 | eval(File.read(gemfile), binding) 76 | end 77 | end 78 | # vim: syntax=ruby 79 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Build Status - Master](https://travis-ci.org/juju4/harden_windows_server.svg?branch=master)](https://travis-ci.org/juju4/harden_windows_server) 2 | [![Build Status - Devel](https://travis-ci.org/juju4/harden_windows_server.svg?branch=devel)](https://travis-ci.org/juju4/harden_windows_server/branches) 3 | [![Appveyor - Master](https://ci.appveyor.com/api/projects/status/ilyqrkiv5jo3ohk8/branch/master?svg=true)](https://ci.appveyor.com/project/juju4/harden-windows-server) 4 | ![Appveyor - Devel](https://ci.appveyor.com/api/projects/status/ilyqrkiv5jo3ohk8/branch/devel?svg=true) 5 | 6 | # harden_windows_server 7 | 8 | ## Module Description 9 | This module hardens Windows Server 2008 R2 to the most recent CIS Benchmark, which can be found here: 10 | 11 | https://www.cisecurity.org/cis-benchmarks/ 12 | 13 | ## Setup 14 | To use this module, you need to specify whether or not the node is a **Domain Controller** or a **Member Server** by modifying the `is_domain_controller` parameter. The CIS Benchmark recommends a different security configuration for each type of node. This module defaults to the **Member Server** configuration. 15 | 16 | Instantiate the class as a **Domain Controller**: 17 | 18 | ``` puppet 19 | class { 'harden_windows_server': 20 | is_domain_controller => true, 21 | } 22 | ``` 23 | 24 | Instantiate the class as a **Member Server**: 25 | 26 | ``` puppet 27 | class { 'harden_windows_server': 28 | is_domain_controller => false, 29 | } 30 | ``` 31 | 32 | ## Usage 33 | The CIS Benchmark has two types of security configurations: **Level 1** and **Level 2**. 34 | 35 | **Level 1** items intend to: 36 | 37 | - be practical and prudent; 38 | - provide a clear security benefit; and 39 | - not inhibit the utility of the technology beyond acceptable means. 40 | 41 | **Level 2** items exhibit one or more of the following characteristics: 42 | 43 | - are intended for environments or use cases where security is paramount 44 | - acts as defense in depth measure 45 | - may negatively inhibit the utility or performance of the technology 46 | 47 | By default, all **Level 1** items are managed by the module. However, each organization is unique and might need to disable certain **Level 1** items so that they can configure them themselves. See our reference for a list of all managed items and disable them as shown below, if needed. 48 | 49 | For example, the `ensure_account_lockout_duration_is_set_to_15_or_more_minutes` item sets the lockout duration to 30 minutes by default. If your organization requires a different lockout duration, disable this parameter so you can manually configure it. In a future release, you will be able to manage custom values within the module. 50 | 51 | Disable `ensure_account_lockout_duration_is_set_to_15_or_more_minutes`: 52 | 53 | ``` puppet 54 | class { 'harden_windows_server': 55 | is_domain_controller => false, 56 | ensure_account_lockout_duration_is_set_to_15_or_more_minutes => false, 57 | } 58 | ``` 59 | 60 | **Level 2** items are not managed, by default. To enable a **Level 2** item, find the parameter in our reference and set it to `true`. 61 | 62 | Enable `ensure_log_on_as_a_batch_job_is_set_to_administrators`: 63 | 64 | ``` puppet 65 | class { 'harden_windows_server': 66 | is_domain_controller => false, 67 | ensure_log_on_as_a_batch_job_is_set_to_administrators => true, 68 | } 69 | ``` 70 | 71 | ## Reference 72 | 73 | ### Level 1 74 | | | Control | Enforced | | | Notes | 75 | |---|----------------------------------------------------------------------------------------------------------------|----------|---|-----|------------------------------------------------------------------| 76 | | | | MS | DC| N/A | | 77 | | 1.1.1 | Ensure 'Enforce password history' is set to '24 or more password(s)' | X | X | | 24 passwords | 78 | | 1.1.2 | Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' | X | X | | 42 days | 79 | | 1.1.3 | Ensure 'Minimum password age' is set to '1 or more day(s)' | X | X | | 1 day | 80 | | 1.1.4 | Ensure 'Minimum password length' is set to '14 or more character(s)' | X | X | | 14 characters | 81 | | 1.1.5 | Ensure 'Password must meet complexity requirements' is set to 'Enabled' | X | X | | | 82 | | 1.1.6 | Ensure 'Store passwords using reversible encryption' is set to 'Disabled' | X | X | | | 83 | | 1.2.1 | Ensure 'Account lockout duration' is set to '15 or more minute(s)' | X | X | | 30 minutes | 84 | | 1.2.2 | Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' | X | X | | 10 attempts | 85 | | 1.2.3 | Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' | X | X | | 30 minutes | 86 | | 2.2.1 | Ensure 'Acceess Credential Manager as a trusted calls' is set to 'No One' | X | X | | | 87 | | 2.2.2 | Configure 'Access this computer from the network' | X | X | | | 88 | | 2.2.3 | Ensure 'Act as part of the operating system' is set to 'No One' | X | X | | | 89 | | 2.2.4 | Ensure 'Add workstations to domain' is set to 'Administrators' (DC only) | | X | | | 90 | | 2.2.5 | Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' | X | X | | | 91 | | 2.2.6 | Configure 'Allow log on locally' | X | X | | | 92 | | 2.2.7 | Configure 'Allow log on through Remote Desktop Services' | X | X | | | 93 | | 2.2.8 | Ensure 'Back up files and directories' is set to 'Administrators' | X | X | | | 94 | | 2.2.9 | Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' | X | X | | | 95 | | 2.2.10 | Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' | X | X | | | 96 | | 2.2.11 | Ensure 'Create a pagefile' is set to 'Administrators' | X | X | | | 97 | | 2.2.12 | Ensure 'Create a token object' is set to 'No One' | X | X | | | 98 | | 2.2.13 | Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' | X | X | | | 99 | | 2.2.14 | Ensure 'Create permanent shared objects' is set to 'No One' | X | X | | | 100 | | 2.2.15 | Configure 'Create symbolic links' | X | X | | Manually configure this if the hyper-v role is activated | 101 | | 2.2.16 | Ensure 'Debug programs' is set to 'Administrators' | X | X | | | 102 | | 2.2.17 | Configure 'Deny access to this computer from the network' | X | X | | | 103 | | 2.2.18 | Ensure 'Deny log on as a batch job' to include 'Guests' | X | X | | | 104 | | 2.2.19 | Ensure 'Deny log on as a service' to include 'Guests' | X | X | | | 105 | | 2.2.20 | Ensure 'Deny log on locally' to include 'Guests' | X | X | | | 106 | | 2.2.21 | Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' | X | X | | | 107 | | 2.2.22 | Configure 'Enable computer and user accounts to be trusted for delegation' | X | X | | | 108 | | 2.2.23 | Ensure 'Force shutdown from a remote system' is set to 'Administrators' | X | X | | | 109 | | 2.2.24 | Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' | X | X | | | 110 | | 2.2.25 | Configure 'Impersonate a client after authentication' | X | X | | Manually configure this if the web server role is activated | 111 | | 2.2.26 | Ensure 'Increase scheduling priority' is set to 'Administrators' | X | X | | | 112 | | 2.2.27 | Ensure 'Load and unload device drivers' is set to 'Administrators' | X | X | | | 113 | | 2.2.28 | Ensure 'Lock pages in memory' is set to 'No One' | X | X | | | 114 | | 2.2.30 | Configure 'Manage auditing and security log' | X | X | | Manually configure this if using exchange | 115 | | 2.2.31 | Ensure 'Modify an object label' is set to 'No One' | X | X | | | 116 | | 2.2.32 | Ensure 'Modify firmware environment values' is set to 'Administrators' | X | X | | | 117 | | 2.2.33 | Ensure 'Perform volume maintenance tasks' is set to 'Administrators' | X | X | | | 118 | | 2.2.34 | Ensure 'Profile single process' is set to 'Administrators' | X | X | | | 119 | | 2.2.35 | Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' | X | X | | | 120 | | 2.2.36 | Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' | X | X | | | 121 | | 2.2.37 | Ensure 'Restore files and directories' is set to 'Administrators' | X | X | | | 122 | | 2.2.38 | Ensure 'Shut down the system' is set to 'Administrators' | X | X | | | 123 | | 2.2.39 | Ensure 'Synchronize directory service data' is set to 'No One' (DC ONLY) | | X | | | 124 | | 2.2.40 | Ensure 'Take ownership of files or other objects' is set to 'Administrators' | X | X | | | 125 | | 2.3.1.1 | Ensure 'Accounts: Administrator account status' is set to 'Disabled' | | | X | Must configure manually | 126 | | 2.3.1.2 | Ensure 'Accounts: Guest account status' is set to 'Disabled' | | | X | Must configure manually | 127 | | 2.3.1.3 | Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' | X | X | | | 128 | | 2.3.1.4 | Configure 'Accounts: Rename administrator account' | X | X | | adminaccount | 129 | | 2.3.1.5 | Configure 'Accounts: Rename guest account' | X | X | | guestaccount | 130 | | 2.3.2.1 | Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'| X | X | | | 131 | | 2.3.2.2 | Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' | X | X | | | 132 | | 2.3.4.1 | Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators | X | X | | | 133 | | 2.3.4.2 | Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' | X | X | | | 134 | | 2.3.5.1 | Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC ONLY) | | X | | | 135 | | 2.3.5.2 | Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC ONLY) | | X | | | 136 | | 2.3.5.3 | Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC ONLY) | | X | | | 137 | | 2.3.6.1 | Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' | X | X | | | 138 | | 2.3.6.2 | Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' | X | X | | | 139 | | 2.3.6.3 | Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' | X | X | | | 140 | | 2.3.6.4 | Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' | X | X | | | 141 | | 2.3.6.5 | Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' | X | X | | | 142 | | 2.3.6.6 | Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' | X | X | | | 143 | | 2.3.7.1 | Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' | X | X | | | 144 | | 2.3.7.2 | Ensure 'Interactive logon: Do not require CTRL+ALT_DEL' is set to 'Disabled' | X | X | | | 145 | | 2.3.7.3 | Configure 'Interactive logon: Message text for users attempting to log on' | | | X | Organizations should use their own text | 146 | | 2.3.7.4 | Configure 'Interactive logon: Message title for users attempting to log on' | | | X | Organizations should use their own text | 147 | | 2.3.7.5 | Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logons' (MS ONLY)| X | | | | 148 | | 2.3.7.6 | Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'| X | X | | | 149 | | 2.3.7.7 | Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS ONLY)| X | | | | 150 | | 2.3.7.8 | Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher | X | X | | | 151 | | 2.3.8.1 | Ensure 'Microsoft network client: Disitally sign communications (always)' is set to 'Enabled' | X | X | | | 152 | | 2.3.8.2 | Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' | X | X | | | 153 | | 2.3.8.3 | Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'| X | X | | | 154 | | 2.3.9.1 | Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minutes, but not 0'| X | X | | | 155 | | 2.3.9.2 | Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' | X | X | | | 156 | | 2.3.9.3 | Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' | X | X | | | 157 | | 2.3.9.4 | Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled | X | X | | | 158 | | 2.3.9.5 | Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS ONLY)| X | | | | 159 | | 2.3.10.1 | Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | X | X | | | 160 | | 2.3.10.2 | Ensure 'Network access: Do not allow anonymous enumeration of SA accounts' is set to 'Enabled' (MS ONLY)| X | | | | 161 | | 2.3.10.3 | Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shared' is set to 'Enabled' (MS ONLY)| X | | | | 162 | | 2.3.10.4 | Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'| X | X | | | 163 | | 2.3.10.5 | Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' | X | X | | | 164 | | 2.3.10.6 | Configure 'Network access: Named Pipes that can be accessed anonymously' | | | X | Support coming soon | 165 | | 2.3.10.7 | Configure 'Network access: Remotely accessible registry paths' | X | X | | | 166 | | 2.3.10.8 | Configure 'Network access: Remotely accessible registry paths and sub-paths' | X | X | | Manually configure this if using the Active Directory Certificate Services, Certification Authority, or WINS Server roles| 167 | | 2.3.10.9 | Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' | X | X | | | 168 | | 2.3.10.10 | Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' | | | X | Support coming soon | 169 | | 2.3.10.11 | Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'| X | X | | | 170 | | 2.3.11.1 | Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' | X | X | | | 171 | | 2.3.11.2 | Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' | X | X | | | 172 | | 2.3.11.3 | Ensure 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled| X | X | | | 173 | | 2.3.11.4 | Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'| X | X | | | 174 | | 2.3.11.5 | Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'| X | X | | | 175 | | 2.3.11.6 | Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' | X | X | | | 176 | | 2.3.11.7 | Ensure 'Network security: LAN Manager authenticatioin level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'| X | X | | | 177 | | 2.3.11.8 | Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher | X | X | | | 178 | | 2.3.11.9 | Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'| X | X | || 179 | | 2.3.11.10 | Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'| X | X | || 180 | | 2.3.13.1 | Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' | X | X | | | 181 | | 2.3.15.1 | Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' | X | X | | | 182 | | 2.3.15.2 | Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'| X | X | | | 183 | | 2.3.16.1 | Ensure 'System settings: Optional subsystems' is set to 'Defined: (blank)' . | X | X | | | 184 | | 2.3.17.1 | Ensure 'User Account Control: Admin Apprival Mode for the Built-in Administrator account' is set to 'Enabled'| X | X | | | 185 | | 2.3.17.2 | Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'| X | X | | | 186 | | 2.3.17.3 | Ensure 'User Account Control: Behavrior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'| X | X | | | 187 | | 2.3.17.4 | Ensure 'User Accounc Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'| X | X | | | 188 | | 2.3.17.5 | Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'| X | X | | | 189 | | 2.3.17.6 | Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'| X | X | | | 190 | | 2.3.17.7 | Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' | X | X | | | 191 | | 2.3.17.8 | Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'| X | X | | | 192 | | 2.3.17.9 | Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'| X | X | | | 193 | | 9.1.1 | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' | X | X | | | 194 | | 9.1.2 | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' | X | X | | | 195 | | 9.1.3 | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' | X | X | | | 196 | | 9.1.4 | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' | X | X | | | 197 | | 9.1.5 | Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)' | X | X | | | 198 | | 9.1.6 | Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'| X | X | | | 199 | | 9.1.7 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'| X | X | | | 200 | | 9.1.8 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | X | X | | | 201 | | 9.1.9 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | X | X | | | 202 | | 9.1.10 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | X | X | | | 203 | | 9.2.1 | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' | X | X | | | 204 | | 9.2.2 | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' | X | X | | | 205 | | 9.2.3 | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' | X | X | | | 206 | | 9.2.4 | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' | X | X | | | 207 | | 9.2.5 | Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)' | X | X | | | 208 | | 9.2.6 | Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'| X | X | | | 209 | | 9.2.7 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'| X | X | | | 210 | | 9.2.8 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | X | X | | | 211 | | 9.2.9 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' | X | X | | | 212 | | 9.2.10 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' | X | X | | | 213 | | 9.3.1 | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' | X | X | | | 214 | | 9.3.2 | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' | X | X | | | 215 | | 9.3.3 | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' | X | X | | | 216 | | 9.3.4 | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes' | X | X | | | 217 | | 9.3.5 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' | X | X | | | 218 | | 9.3.6 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' | X | X | | | 219 | | 9.3.7 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'| X | X | | | 220 | | 9.3.8 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | X | X | | | 221 | | 9.3.9 | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' | X | X | | | 222 | | 9.3.10 | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' | X | X | | | 223 | | 17.x.x | Advanced Audit Policy Configuration | X | X | | | 224 | | 18.2.x | LAPS | | | X | This section only applies if your organization is using LAPS | 225 | | 18.3.x | MSS (Legacy) | | | X | This section only applies if your organization is using MSS (Legacy)| 226 | | 18.4.11.2 | Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'| X | X | | | 227 | | 18.4.11.3 | Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' | X | X | | | 228 | | 18.4.14.1 | Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'| | | X | Support coming soon| 229 | | 18.4.19.2.1 | Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') | | | X | Support coming soon | 230 | | 18.6.1 | Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS ONLY) | | | X | Support coming soon | 231 | | 18.6.2 | Ensure 'WDigest Authentication' is set to 'Disabled' | | | X | Support coming soon | 232 | | 18.8.3.1 | Ensure 'Include command line in process creation events' is set to 'Disabled' | | | X | Support coming soon | 233 | | 18.8.6.2 | Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled' | X | X | | | 234 | | 18.8.19.2 | Ensure 'configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'| X | X | | | 235 | | 18.8.19.3 | Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'| X | X | | | 236 | | 18.8.19.4 | Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' | | | X | Support coming soon | 237 | | 18.8.25.1 | Ensure 'Always use classic logon' is set to 'Enabled' (MS ONLY) | X | | | | 238 | | 18.8.31.1 | Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' | X | X | | | 239 | | 18.8.31.2 | Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' | X | X | | | 240 | | 18.8.32.1 | Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS ONLY) | X | | | | 241 | | 18.9.8.1 | Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' | X | X | | | 242 | | 18.9.8.2 | Ensure 'set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'| X | X | | | 243 | | 18.9.8.3 | Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' | X | X | | | 244 | | 18.9.15.1 | Ensure 'Do not display the password reveal button' is set to 'Enabled' | | | X | Support coming soon | 245 | | 18.9.15.2 | Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' | X | X | | | 246 | | 18.9.18.1 | Ensure 'Turn off desktop gadgets' is set to 'Enabled' | X | X | | | 247 | | 18.9.18.2 | Ensure 'Turn off user-installed desktop gadgets' is set to 'Enabled' | X | X | | | 248 | | 18.9.24.x | EMET | | | X | Support coming soon | 249 | | 18.9.26.1.1 | Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'| X | X | | | 250 | | 18.9.26.1.2 | Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'| X | X | | | 251 | | 18.9.26.2.1 | Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'| X | X | | | 252 | | 18.9.26.2.2 | Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' | X | X | | | 253 | | 18.9.26.3.1 | Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'| X | X | | | 254 | | 18.9.26.3.2 | Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | X | X | | | 255 | | 18.9.26.4.1 | Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'| X | X | | | 256 | | 18.9.26.4.2 | Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | X | X | | | 257 | | 18.9.30.2 | Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' | X | X | | | 258 | | 18.9.30.3 | Ensure 'Turn off heap termination on corruption' is set to 'Disabled' | X | X | | | 259 | | 18.9.30.4 | Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' | X | X | | | 260 | | 18.9.47.1 | Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' | | | X | Support coming soon | 261 | | 18.9.47.2 | Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled' | | | X | Support coming soon | 262 | | 18.9.52.2.2 | Ensure 'Do not allow passwords to be saved' is set to 'Enabled' | X | X | | | 263 | | 18.9.52.3.3.2 | Ensure 'Do not allow drive redirection' is set to 'Enabled' | X | X | | | 264 | | 18.9.52.3.9.1 | Ensure 'Always prompt for password upon connection' is set to 'Enabled' | X | X | | | 265 | | 18.9.52.3.9.2 | Ensure 'Require secure RPC communication' is set to 'Enabled' | X | X | | | 266 | | 18.9.52.3.9.3 | Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' | X | X | | | 267 | | 18.9.52.3.11.1 | Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' | X | X | | | 268 | | 18.9.52.3.11.2 | Ensure 'Do not use temporary folders per session' is set to 'Disabled' | X | X | | | 269 | | 18.9.53.1 | Ensure 'Prevent downloading of enclosures' is set to 'Enabled' | X | X | | | 270 | | 18.9.54.2 | Ensure 'Allow indexing of encrypted files' is set to 'Disabled' | | | X | Support coming soon | 271 | | 18.9.70.2.1 | Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data' | X | X | | | 272 | | 18.9.74.1 | Ensure 'Allow user control over installs' is set to 'Disabled' | X | X | | | 273 | | 18.9.74.2 | Ensure 'Always install with elevated privileges' is set to 'Disabled' | X | X | | | 274 | | 18.9.84.1 | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' | | | X | Support coming soon | 275 | | 18.9.84.2 | Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' | | | X | Support coming soon | 276 | | 18.9.86.1.1 | Ensure 'Allow Basic authentication' is set to 'Disabled' | X | X | | | 277 | | 18.9.86.1.2 | Ensure 'Allow unencrypted traffic' is set to 'Disabled' | X | X | | | 278 | | 18.9.86.1.3 | Ensure 'Disallow Digest authentication' is set to 'Enabled' | X | X | | | 279 | | 18.9.86.2.1 | Ensure 'Allow Basic authentication' is set to 'Disabled' | X | X | | | 280 | | 18.9.86.2.3 | Ensure 'Allow unencrypted traffic' is set to 'Disabled' | X | X | | | 281 | | 18.9.86.2.4 | Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' | | | X | Support coming soon | 282 | | 18.9.90.2 | Ensure 'Configure Automatic Updates' is set to 'Enabled' | X | X | | | 283 | | 18.9.90.3 | Ensure 'Configure Automatic Updates: Schedule install day' is set to '0 - Every day' | X | X | | | 284 | | 18.9.90.4 | Ensure 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' is set to 'Disabled'| X | X | | | 285 | | 18.9.90.5 | Ensure 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' is set to 'Disabed'| X | X | | | 286 | | 18.9.90.6 | Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'| X | X | | | 287 | | 18.9.90.7 | Ensure 'Reschedule Automatic Updates scheduled installations' is set to 'Enabled: 1 minute' | X | X | | | 288 | | 19.x.x.x.x | Administrative Templates (User) | | | X | Support coming soon | 289 | 290 | 291 | 292 | ### Level 2 293 | | |Control | Enforced | | | Notes | 294 | |---|----------------------------------------------------------------------------------------------------------------|----------|---|-----|------------------------------------------------------------------| 295 | | | | MS | DC| N/A | | 296 | | 2.2.29 | Ensure 'Log on as a batch job' is set to 'Administrators' (DC ONLY) | | X | | | 297 | | 18.4.9.1 | Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | X | X | | | 298 | | 18.4.9.2 | Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | X | X | | | 299 | | 18.4.10.2 | Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' | X | X | | | 300 | | 18.4.20.1 | Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | X | X | | | 301 | | 18.4.20.2 | Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' | X | X | | | 302 | | 18.8.20.1.x | Internet Communication Settings | | | X | Support coming soon | 303 | | 18.8.29.5.1 | Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' | | | X | Support coming soon | 304 | | 18.8.29.5.2 | Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled | | | X | Support coming soon | 305 | | 18.8.32.2 | Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS ONLY) | | | X | Support coming soon | 306 | | 18.8.39.5.1 | Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'| | | X | Support coming soon | 307 | | 18.8.39.11.1 | Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' | | | X | Support coming soon | 308 | | 18.8.44.1.1 | Ensure 'Enable Windows NTP Client' is set to 'Enabled' | | | X | Support coming soon | 309 | | 18.8.44.1.2 | Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS ONLY) | | | X | Support coming soon | 310 | | 18.9.37.1 | Ensure 'Turn off location' is set to 'Enabled' | X | X | | | 311 | | 18.9.52.3.2.1 | Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'| X | X | | | 312 | | 18.9.52.3.3.1 | Ensure 'Do not allow COM port redirection' is set to 'Enabled' | X | X | | | 313 | | 18.9.52.3.3.3 | Ensure 'Do not allow LPT port redirection' is set to 'Enabled' | X | X | | | 314 | | 18.9.52.3.3.4 | Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' | X | X | | | 315 | | 18.9.52.3.10.1 | Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'| X | X | | | 316 | | 18.9.52.3.10.2 | Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | X | X | | | 317 | | 18.9.69.3.1 | Ensure 'Join Microsoft MAPS' is set to 'Disabled' | | | X | Support coming soon | 318 | | 18.9.74.3 | Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' | X | X | | | 319 | | 18.9.86.2.2 | Ensure 'Allow remote server management through WinRM' is set to 'Disabled' | | | X | Support coming soon | 320 | | 18.9.87.1 | Ensure 'Allow Remote Shell Access' is set to 'Disabled' | X | X | | | 321 | 322 | 323 | ### Variable List 324 | These variables should be used to override default values. They correspond with the controls above. 325 | 326 | ``` puppet 327 | $is_domain_controller 328 | $ensure_enforce_password_history_is_set_to_24_or_more_passwords 329 | $ensure_maximum_password_age_is_set_to_60_or_fewer_days_but_not_0 330 | $ensure_minimum_password_age_is_set_to_1_or_more_days 331 | $ensure_minimum_password_length_is_set_to_14_or_more_characters 332 | $ensure_password_must_meet_complexity_requirements_is_set_to_enabled 333 | $ensure_store_passwords_using_reversible_encryption_is_set_to_disabled 334 | $ensure_account_lockout_duration_is_set_to_15_or_more_minutes 335 | $ensure_account_lockout_threshold_is_set_to_10_or_fewer_invalid_logon_attempts_but_not_0 336 | $ensure_reset_account_lockout_counter_after_is_set_to_15_or_more_minutes 337 | $ensure_access_credential_manager_as_a_trusted_caller_is_set_to_no_one 338 | $configure_access_this_computer_from_the_network 339 | $ensure_act_as_part_of_the_operating_system_is_set_to_no_one 340 | $ensure_add_workstations_to_domain_is_set_to_administrators 341 | $ensure_adjust_memory_quotas_for_a_process_is_set_to_administrators_local_service_network_service 342 | $configure_allow_log_on_locally 343 | $configure_allow_log_on_through_remote_desktop_services 344 | $ensure_back_up_files_and_directories_is_set_to_administrators 345 | $ensure_change_the_system_time_is_set_to_administrators_local_service 346 | $ensure_change_the_time_zone_is_set_to_administrators_local_service 347 | $ensure_create_a_pagefile_is_set_to_administrators 348 | $ensure_create_a_token_object_is_set_to_no_one 349 | $ensure_create_global_objects_is_set_to_administrators_local_service_network_service_service 350 | $ensure_create_permanent_shared_objects_is_set_to_no_one 351 | $configure_create_symbolic_links 352 | $ensure_debug_programs_is_set_to_administrators 353 | $configure_deny_access_to_this_computer_from_the_network 354 | $ensure_deny_log_on_as_a_batch_job_to_include_guests 355 | $ensure_deny_log_on_as_a_service_to_include_guests 356 | $ensure_deny_log_on_locally_to_include_guests 357 | $ensure_deny_log_on_through_remote_desktop_services_to_include_guests_local_account 358 | $configure_enable_computer_and_user_acounts_to_be_trusted_for_delegation 359 | $ensure_force_shutdown_from_a_remote_system_is_set_to_administrators 360 | $ensure_generate_security_audits_is_set_to_local_service_network_service 361 | $configure_impersonate_a_client_after_authentication 362 | $ensure_increase_scheduling_priority_is_set_to_administrators 363 | $ensure_load_and_unload_device_drivers_is_set_to_administrators 364 | $ensure_lock_pages_in_menory_is_set_to_no_one 365 | $ensure_log_on_as_a_batch_job_is_set_to_administrators #LEVEL 2 366 | $configure_manage_auditing_and_security_log 367 | $ensure_modify_an_object_label_is_set_to_no_one 368 | $ensure_modify_firmware_environment_values_is_set_to_administrators 369 | $ensure_perform_volume_maintenance_tasks_is_set_to_administrators 370 | $ensure_profile_single_process_is_set_to_administrators 371 | $ensure_profile_system_performance_is_set_to_administrators_nt_service_wdiservicehost 372 | $ensure_replace_a_process_level_token_is_set_to_local_service_network_service 373 | $ensure_restore_files_and_directories_is_set_to_administrators 374 | $ensure_shut_down_the_system_is_set_to_administrators 375 | $ensure_synchronize_directory_service_data_is_set_to_no_one 376 | $ensure_take_ownership_of_files_or_other_objects_is_set_to_administrators 377 | $ensure_accounts_administrator_account_status_is_set_to_disabled 378 | $ensure_accounts_guest_account_status_is_set_to_disabled 379 | $ensure_accounts_limit_local_account_use_of_blank_password_to_console_logon_only_is_set_to_enabled 380 | $configure_accounts_rename_administrator_account 381 | $configure_accounts_rename_guest_account 382 | $ensure_audit_force_audit_policy_subcategory_settings_to_override_audit_policy_category_settings 383 | $ensure_audit_shut_down_system_immediately_if_unable_to_log_security_audits_is_set_to_disabled 384 | $ensure_devices_allowed_to_format_and_eject_removable_media_is_set_to_administrators 385 | $ensure_devices_prevent_users_from_installing_printer_drivers_is_set_to_enabled 386 | $ensure_domain_controller_allow_server_operators_to_schedule_tasks_is_set_to_disabled 387 | $ensure_domain_controller_ldap_server_signing_requirements_is_set_to_require_signing 388 | $ensure_domain_controller_refuse_machine_account_password_changes_is_set_to_disabled 389 | $ensure_domain_member_digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_enabled 390 | $ensure_domain_member_digitally_encrypt_or_sign_secure_channel_data_when_possible_is_set_to_enabled 391 | $ensure_domain_member_digitally_sign_secure_channel_data_when_possible_is_set_to_enabled 392 | $ensure_domain_member_disable_machine_account_password_changes_is_set_to_disabled 393 | $ensure_domain_member_maximum_machine_account_password_age_is_set_to_30_or_fewer_days_but_not_0 394 | $ensure_domain_member_require_strong_session_key_windows_2000_or_later_is_set_to_enabled 395 | $ensure_interactive_logon_do_not_display_last_user_name_is_set_to_enabled 396 | $ensure_interactive_logon_do_not_require_ctrl_alt_del_is_set_to_disabled 397 | $configure_interactive_logon_message_text_for_users_attempting_to_log_on 398 | $configure_interactive_logon_message_title_for_users_attempting_to_log_on 399 | $ensure_interactive_logon_number_of_previous_logons_to_cache_is_set_to_4_or_fewer_logons #LEVEL 2 400 | $ensure_interactive_logon_prompt_user_to_change_password_before_expiration_is_set_to_between_5_and_14_days 401 | $ensure_interactive_logon_require_domain_controller_authentication_to_unlock_workstation_is_set_to_enabled 402 | $ensure_interactive_logon_smart_card_removal_behavior_is_set_to_lock_workstation_or_higher 403 | $ensure_microsoft_network_client_digitally_sign_communications_always_is_set_to_enabled 404 | $ensure_microsoft_network_client_digitally_sign_communications_if_server_agrees_is_set_to_enabled 405 | $ensure_microsoft_network_client_send_unencrypted_password_to_third_party_smb_servers_is_set_to_disabled 406 | $ensure_microsoft_network_server_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes 407 | $ensure_microsoft_network_server_digitally_sign_communications_always_is_set_to_enabled 408 | $ensure_microsoft_network_server_digitally_sign_communications_if_client_agrees_is_set_to_enabled 409 | $ensure_microsoft_network_server_disconnect_clients_when_logon_hours_expire_is_set_to_enabled 410 | $ensure_microsoft_network_server_spn_target_name_validation_level_is_set_to_accept_if_provided_by_client 411 | $ensure_network_access_allow_anonymous_sid_name_tranlation_is_set_to_disabled 412 | $ensure_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_is_set_to_enabled 413 | $ensure_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shared_is_set_to_enabled 414 | $ensure_network_access_do_not_allow_storage_of_password_and_credentials_for_authentication_is_set_to_enabled #LEVEL 2 415 | $ensure_network_access_let_everyone_permissions_apply_to_anonymous_users_is_set_to_disabled 416 | $configure_network_access_named_pipes_that_can_be_accessed_anonymously 417 | $configure_network_access_remotely_accessible_registry_paths 418 | $configure_network_access_remotely_accessible_registry_paths_and_sub_paths 419 | $ensure_network_access_restrict_anonymous_access_to_named_pipes_and_shares_is_set_to_enabled 420 | $ensure_network_access_shares_that_can_be_accessed_anonymously_is_set_to_none 421 | $ensure_network_access_sharing_and_security_model_for_local_accounts_is_set_to_classic 422 | $ensure_network_security_allow_local_system_to_use_computer_identity_for_ntlm_is_set_to_enabled 423 | $ensure_network_security_allow_localsystem_null_session_fallback_is_set_to_disabled 424 | $ensure_network_security_allow_pku2u_authentication_requests_to_use_online_identities_is_set_to_disabled 425 | $ensure_network_security_configure_encryption_types_allow_for_kerberos 426 | $ensure_network_security_do_not_store_lan_manager_hash_value_on_next_password_change_is_set_to_enabled 427 | $ensure_network_security_force_logoff_when_logon_hours_expire_is_set_to_enabled 428 | $ensure_network_security_lan_manager_authentication_level_is_set_to_send_ntlmv2_response_only 429 | $ensure_network_security_ldap_client_signing_requirements_is_set_to_negotiate_signing 430 | $ensure_network_security_minimum_session_security_for_ntlm_ssp_based_clients 431 | $ensure_network_security_minimum_session_security_for_ntlm_ssp_based_servers 432 | $ensure_shutdown_allow_system_to_be_shutdown_without_having_to_logon_is_set_to_disabled 433 | $ensure_system_objects_require_case_insensitivity_for_non_windows_subsystems_is_enabled 434 | $ensure_system_objects_strengthen_default_permissions_of_internal_system_objects_is_enabled 435 | $ensure_system_settings_optional_subsystems_is_set_to_defined_blank 436 | $ensure_user_account_control_admin_approval_mode_for_the_admin_account_is_enabled 437 | $ensure_user_account_control_allow_uiaccess_applications_to_prompt_for_elevation_is_disabled 438 | $ensure_user_account_control_behavior_of_the_elevation_prompt_for_administrators_in_admin_approval_mode 439 | $ensure_user_account_control_behavior_of_the_elevation_prompt_for_standard_users 440 | $ensure_user_account_control_detect_application_installations_and_prompt_for_elevation_is_enabled 441 | $ensure_user_account_control_only_elevate_uiaccess_applications_that_are_installed_in_secure_locations 442 | $ensure_user_account_control_run_all_administrators_in_admin_approval_mode_is_enabled 443 | $ensure_user_account_control_switch_to_the_secure_desktop_when_prompting_for_elevation_is_enabled 444 | $ensure_user_account_control_virtualize_file_and_registry_write_failures_to_per_user_location_is_enabled 445 | $ensure_windows_firewall_domain_firewall_state_is_set_to_on_recommended 446 | $ensure_windows_firewall_domain_inbound_connections_is_set_to_block_default 447 | $ensure_windows_firewall_domain_outbound_connections_is_set_to_allow_default 448 | $ensure_windows_firewall_domain_settings_display_a_notification_is_set_to_no 449 | $ensure_windows_firewall_domain_settings_apply_local_firewall_rules_is_set_to_yes_default 450 | $ensure_windows_firewall_domain_settings_apply_local_connection_security_rules_is_yes 451 | $ensure_windows_firewall_domain_logging_name_is_set_to_domainfwlog 452 | $ensure_windows_firewall_domain_logging_size_limit_is_16384_or_greater 453 | $ensure_windows_firewall_domain_logging_log_dropped_packets_is_set_to_yes 454 | $ensure_windows_firewall_domain_logging_log_successful_connections_is_set_to_yes 455 | $ensure_windows_firewall_private_firewall_state_is_set_to_on_recommended 456 | $ensure_windows_firewall_private_inbound_connections_is_set_to_block_default 457 | $ensure_windows_firewall_private_outbound_connections_is_set_to_allow_default 458 | $ensure_windows_firewall_private_settings_display_a_notification_is_set_to_no 459 | $ensure_windows_firewall_private_settings_apply_local_firewall_rules_is_set_to_yes_default 460 | $ensure_windows_firewall_private_settings_apply_local_connection_security_rules_is_set_to_yes_default 461 | $ensure_windows_firewall_private_logging_name_is_set_to_privatefwlog 462 | $ensure_windows_firewall_private_logging_size_limit_is_set_to_16384_or_greater 463 | $ensure_windows_firewall_private_logging_log_dropped_packets_is_set_to_yes 464 | $ensure_windows_firewall_private_logging_log_successful_connections_is_set_to_yes 465 | $ensure_windows_firewall_public_firewall_state_is_set_to_on_recommended 466 | $ensure_windows_firewall_public_inbound_connections_is_set_to_block_default 467 | $ensure_windows_firewall_public_outbound_connections_is_set_to_allow_default 468 | $ensure_windows_firewall_public_settings_display_a_notification_is_set_to_yes 469 | $ensure_windows_firewall_public_settings_apply_local_firewall_rules_is_set_to_no 470 | $ensure_windows_firewall_public_settings_apply_local_connection_security_rules_is_set_to_no 471 | $ensure_windows_firewall_public_logging_name_is_set_to_publicfwlog 472 | $ensure_windows_firewall_public_logging_size_limit_is_set_to_16384_or_greater 473 | $ensure_windows_firewall_public_logging_log_dropped_packets_is_set_to_yes 474 | $ensure_windows_firewall_public_logging_log_successful_connections_is_set_to_yes 475 | $advanced_audit_policy_configuration 476 | $ensure_laps_admpwd_gpo_extension_cse_is_installed #MS ONLY 477 | $ensure_do_not_allow_password_expiration_time_longer_than_required_by_policy_is_set_to_enabled 478 | $ensure_enable_local_admin_password_management_is_set_to_enabled 479 | $ensure_password_settings_password_complexity_is_set_to_enabled_large_letters_small_letters_numbers_special_characters 480 | $ensure_password_settings_password_length_is_set_to_enabled_15_or_more 481 | $ensure_password_settings_password_age_days_is_set_to_enabled_30_or_fewer 482 | $ensure_mss_autoadminlogon_enable_automatic_logon_not_recommended_is_set_to_disabled 483 | $ensure_mss_disableipsourcerouting_ipv6_ip_source_routing_protection_level_is_set_to_enabled_highest_protection_source_routing_disabled 484 | $ensure_mss_disableipsourcerouting_ip_source_routing_protection_level_is_set_to_enabled_highest_protection_source_routing_disabled 485 | $ensure_mss_enableicmpredirect_allow_icmp_redirects_to_override_ospf_generated_routes_is_set_to_disabled 486 | $ensure_mss_keepalivetime_how_often_keepalive_packets_are_sent_in_millisecondsis_set_to_enabled_300000_or_5_minutes #LEVEL 2 487 | $ensure_mss_nonamereleaseondemand_allow_the_computer_to_ignore_netbios_name_release_requests_except_from_wins_server_is_enabled 488 | $ensure_mss_performrouterdiscovery_allow_irdp_to_detect_and_configure_default_gateway_addresses_is_set_to_disabled #LEVEL 2 489 | $ensure_mss_safediisearchmode_enable_safe_dll_search_mode_is_set_to_enabled 490 | $ensure_mss_screensavergraceperiod_the_time_in_seconds_before_the_screen_saver_grace_period_expired_is_set_to_enabled_5_or_fewer 491 | $ensure_mss_tcpmaxdataretranmissions_ipv6_how_many_times_unacknowledged_data_is_retransmitted_is_set_to_enabled_3 492 | $ensure_mss_tcpmaxdataretransmissions_how_many_times_unacknowledged_data_is_retransmitted_is_set_to_enabled_3 493 | $ensure_mss_warninglevel_percentage_threshold_for_the_security_event_log_is_set_to_enabled_90_or_less 494 | $ensure_turn_on_mapper_io_lltdio_driver_is_set_to_disabled #LEVEL 2 495 | $ensure_turn_on_responder_rspndr_driver_is_set_to_disabled #LEVEL 2 496 | $ensure_turn_off_microsoft_peer_to_peer_networking_services_is_set_to_enabled #LEVEL 2 497 | $ensure_prohibit_installation_and_configuration_of_network_bridge_on_your_dns_domain_network_is_set_to_enabled 498 | $ensure_require_domain_users_to_elevate_when_setting_a_networks_location_is_set_to_enabled 499 | $ensure_hardened_unc_paths_is_set_to_enabled_with_require_mutual_authentication_and_require_integrity_for_all_netlogon_and_sysvol_shares 500 | $disable_ipv6_ensure_tcpip6_parameter_disabledcomponents_is_set_to_0xff255 #LEVEL 2 501 | $ensure_configuration_of_wireless_settings_using_windows_connect_now_is_set_to_disabled #LEVEL 2 502 | $ensure_prohibit_access_of_the_windows_connect_now_wizards_is_set_to_enabled #LEVEL 2 503 | $ensure_apply_uac_restrictions_to_local_accounts_on_network_logons_is_set_to_enabled 504 | $ensure_wdigest_authentication_is_set_to_disabled 505 | $ensure_include_command_line_in_process_creation_events_is_set_to_disabled 506 | $ensure_allow_remote_access_to_the_plug_and_play_interface_is_set_to_disabled 507 | $ensure_configure_registry_policy_processing_do_not_apply_during_periodic_background_processing_is_set_to_enabled_false 508 | $ensure_configure_registry_policy_processing_process_even_if_the_group_policy_objects_have_not_changed_is_set_to_enabled_true 509 | $ensure_turn_off_background_refresh_of_group_policy_is_set_to_disabled 510 | $ensure_turn_off_downloading_of_print_drivers_over_http_is_set_to_enabled #LEVEL 2 511 | $ensure_turn_off_handwriting_personalization_data_sharing_is_set_to_enabled #LEVEL 2 512 | $ensure_turn_off_handwriting_recognition_error_reporting_is_set_to_enabled #LEVEL 2 513 | $ensure_turn_off_internet_connection_wizard_if_url_connection_is_referring_to_microsoftcom_is_set_to_enabled #LEVEL 2 514 | $ensure_turn_off_internet_download_for_web_publishing_and_online_ordering_wizards_is_set_to_enabled #LEVEL 2 515 | $ensure_turn_off_internet_file_association_service_is_set_to_enabled #LEVEL 2 516 | $ensure_turn_off_printing_over_http_is_set_to_enabled #LEVEL 2 517 | $ensure_turn_off_registration_if_url_connection_is_referring_to_microsoftcom_is_set_to_enabled #LEVEL 2 518 | $ensure_turn_off_search_companion_content_file_updates_is_set_to_enabled #LEVEL 2 519 | $ensure_turn_off_the_order_prints_picture_task_is_set_to_enabled #LEVEL 2 520 | $ensure_turn_off_the_publish_to_web_task_for_files_and_folders_is_set_to_enabled #LEVEL 2 521 | $ensure_turn_off_the_windows_messenger_customer_experience_improvement_program_is_set_to_enabled #LEVEL 2 522 | $ensure_turn_off_windows_customer_experience_improvement_program_is_set_to_enabled #LEVEL 2 523 | $ensure_turn_off_windows_error_reporting_is_set_to_enabled #LEVEL 2 524 | $ensure_always_use_classic_logon #MS ONLY 525 | $ensure_require_a_password_when_a_computer_wakes_on_battery_is_set_to_enabled #LEVEL 2 526 | $ensure_require_a_password_when_a_computer_wakes_plugged_in_is_set_to_enabled #LEVEL 2 527 | $ensure_configure_offer_remote_assistance_is_set_to_disabled 528 | $ensure_configure_solicited_remote_assistance_is_set_to_disabled 529 | $ensure_enable_rpc_endpoint_mapper_client_authentication_is_set_to_enabled #MS ONLY 530 | $ensure_restrict_unauthenticated_rpc_clients_is_set_to_enabled_authenticatied #LEVEL 2 MS ONLY 531 | $ensure_microsoft_support_diagnostic_tool_turn_on_msdt_interactive_communication_with_support_provider_is_set_to_disabled #LEVEL 2 532 | $ensure_enable_disable_perftrack_is_set_to_disabled #LEVEL 2 533 | $ensure_enable_windows_ntp_client_is_set_to_enabled #LEVEL 2 534 | $ensure_enable_windows_ntp_server_is_set_to_disabled #LEVEL 2 MS ONLY 535 | $ensure_disallow_autoplay_for_non_volume_devices_is_set_to_enabled 536 | $ensure_set_the_default_behavior_for_autorun_is_set_to_enabled_do_not_execute_any_autorun_commands 537 | $ensure_turn_off_autoplay_is_set_to_enabled_all_drives 538 | $ensure_do_not_display_the_password_reveal_button_is_set_to_enabled 539 | $ensure_enumerate_administrator_accounts_on_elevation_is_set_to_disabled 540 | $ensure_turn_off_desktop_gadgets_is_set_to_enabled 541 | $ensure_turn_off_user_installed_desktop_gadgets_is_set_to_enabled 542 | $ensure_emet_551_or_higher_is_installed 543 | $ensure_default_action_and_mitigation_settings_is_set_to_enabled_plus_subsettings 544 | $ensure_default_protections_for_internet_explorer_is_set_to_enabled 545 | $ensure_default_protections_for_popular_software_is_set_to_enabled 546 | $ensure_default_protections_for_recommended_software_is_set_to_enabled 547 | $ensure_system_aslr_is_set_to_enabled_application_opt_in 548 | $ensure_system_dep_is_set_to_enabled_application_opt_out 549 | $ensure_system_sehop_is_set_to_enabled_application_opt_out 550 | $ensure_application_control_event_log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_disabled 551 | $ensure_application_specify_the_maximum_log_file_size_kb_is_set_to_enabled_32768_or_greater 552 | $ensure_security_control_event_log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_disabled 553 | $ensure_security_specify_the_maximum_log_file_size_kb_is_set_to_enabled_196608_or_greater 554 | $ensure_setup_control_event_log_behavior_when_the_log_reaches_its_maximum_size_is_set_to_disabled 555 | $ensure_setup_specify_the_maximum_log_file_size_kb_is_set_to_enabled_32768_or_greater 556 | $ensure_system_control_event_log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_disabled 557 | $ensure_system_specify_the_maximum_log_file_size_kb_is_set_to_enabled_32768_or_greater 558 | $ensure_turn_off_data_execution_prevention_for_explorer_is_set_to_disabled 559 | $ensure_turn_off_heap_termination_on_corruption_is_set_to_disabled 560 | $ensure_turn_off_shell_protocol_proteted_mode_is_set_to_disabled 561 | $ensure_turn_off_location_is_set_to_enabled #LEVEL 2 562 | $ensure_prevent_the_usage_of_onedrive_for_filestorage_is_set_to_enabled 563 | $ensure_prevent_the_usage_of_onedrive_for_file_storage_on_windows_81_is_set_to_enabled 564 | $ensure_do_not_allow_passwords_to_be_saved_is_set_to_enabled 565 | $ensure_restrict_remote_desktop_services_users_to_a_single_remote_desktop_services_session_is_set_to_enabled #LEVEL 2 566 | $ensure_do_not_allow_com_port_redirection_is_set_to_enabled #LEVEL 2 567 | $ensure_do_not_allow_drive_redirection_is_set_to_enabled 568 | $ensure_do_not_allow_lpt_port_redirection_is_set_to_enabled #LEVEL 2 569 | $ensure_do_not_allow_supported_plug_and_play_device_redirection_is_set_to_enabled #LEVEL 2 570 | $ensure_always_prompt_for_password_upon_connection_is_set_to_enabled 571 | $ensure_require_secure_rpc_communication_is_set_to_enabled 572 | $ensure_set_client_connection_encryption_level_is_set_to_enabled_high_level 573 | $ensure_set_time_limit_for_active_but_idle_remote_desktop_services_sessions_is_set_to_enabled_15_minutes_or_less #LEVEL 2 574 | $ensure_set_time_limit_for_disconnected_sessions_is_set_to_enabled_1_minute #LEVEL 2 575 | $ensure_do_not_delete_temp_folders_upon_exit_is_set_to_disabled 576 | $ensure_do_not_use_temporary_folders_per_session_is_set_to_disabled 577 | $ensure_prevent_downloading_of_enclosures_is_set_to_enabled 578 | $ensure_allow_indexing_of_encrypted_files_is_set_to_disabled 579 | $ensure_join_microsoft_maps_is_set_to_disabled #LEVEL 2 580 | $ensure_configure_default_consent_is_set_to_enabled_always_ask_before_sending_data 581 | $ensure_allow_user_control_over_installs_is_set_to_disabled 582 | $ensure_always_install_with_elevated_privileges_is_set_to_disabled 583 | $ensure_prevent_internet_explorer_security_prompt_for_windows_installer_scripts_is_set_to_disabled #LEVEL 2 584 | $ensure_turn_on_powershell_script_block_logging_is_set_to_disabled 585 | $ensure_turn_on_powershell_transcription_is_set_to_disabled 586 | $ensure_winrm_client_allow_basic_authentication_is_set_to_disabled 587 | $ensure_winrm_client_allow_unencrypted_traffic_is_set_to_disabled 588 | $ensure_disallow_digest_authentication_is_set_to_enabled 589 | $ensure_winrm_service_allow_basic_authentication_is_set_to_disabled 590 | $ensure_allow_remote_server_management_through_winrm_is_set_to_disabled #LEVEL 2 591 | $ensure_winrm_service_allow_unencrypted_traffic_is_set_to_disabled 592 | $ensure_disallow_winrm_from_storing_runas_credentials_is_set_to_enabled 593 | $ensure_allow_remote_shell_access_is_set_to_disabled #LEVEL 2 594 | $ensure_configure_automatic_updates_is_set_to_enabled 595 | $ensure_configure_automatic_updates_scheduled_install_day_is_set_to_0_every_day 596 | $ensure_do_not_adjust_default_option_to_install_updates_and_shut_down_in_shut_down_windows_dialog_box_is_set_to_disabled 597 | $ensure_do_not_display_install_updates_and_shut_down_option_in_shut_down_windows_dialog_box_is_set_to_disabled 598 | $ensure_no_auto_restart_with_logged_on_users_for_scheduled_automatic_updates_installations_is_set_to_disabled 599 | $ensure_reschedule_automatic_updates_scheduled_installations_is_set_to_enabled_1_minute 600 | $ensure_enable_screen_saver_is_set_to_enabled 601 | $ensure_force_specific_screen_saver_screen_saver_executable_name_is_set_to_enabled_scrnsavescr 602 | $ensure_password_protect_the_screen_saver_is_set_to_enabled 603 | $ensure_screen_saver_timeout_is_set_to_enabled_900_seconds_or_fewer_but_not_0 604 | $ensure_turn_off_help_experience_improvement_program_is_set_to_enabled # LEVEL 2 605 | $ensure_do_not_preserve_zone_information_in_file_attachments_is_set_to_disabled 606 | $ensure_notify_antivirus_programs_when_opening_attachments_is_set_to_enabled 607 | $ensure_prevent_users_from_sharing_files_within_their_profile_is_set_to_enabled 608 | $ensure_always_install_with_elevated_privileges_is_set_to_disabled_windows_installer 609 | $ensure_prevent_codec_download_is_set_to_enabled #LEVEL 2 610 | ``` 611 | 612 | ## Limitations 613 | 614 | ## Development 615 | Future Release: 616 | - Support more server versions 617 | - Edit parameters with hiera 618 | - Add more level 2 features 619 | - Allow more customization 620 | 621 | ## Contributers 622 | Jack Coleman 623 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | require 'puppetlabs_spec_helper/rake_tasks' 2 | require 'puppet-syntax/tasks/puppet-syntax' 3 | require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any? 4 | require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any? 5 | 6 | def changelog_user 7 | return unless Rake.application.top_level_tasks.include? "changelog" 8 | returnVal = nil || JSON.load(File.read('metadata.json'))['author'] 9 | raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil? 10 | puts "GitHubChangelogGenerator user:#{returnVal}" 11 | returnVal 12 | end 13 | 14 | def changelog_project 15 | return unless Rake.application.top_level_tasks.include? "changelog" 16 | returnVal = nil || JSON.load(File.read('metadata.json'))['name'] 17 | raise "unable to find the changelog_project in .sync.yml or the name in metadata.json" if returnVal.nil? 18 | puts "GitHubChangelogGenerator project:#{returnVal}" 19 | returnVal 20 | end 21 | 22 | def changelog_future_release 23 | return unless Rake.application.top_level_tasks.include? "changelog" 24 | returnVal = JSON.load(File.read('metadata.json'))['version'] 25 | raise "unable to find the future_release (version) in metadata.json" if returnVal.nil? 26 | puts "GitHubChangelogGenerator future_release:#{returnVal}" 27 | returnVal 28 | end 29 | 30 | PuppetLint.configuration.send('disable_relative') 31 | 32 | if Bundler.rubygems.find_name('github_changelog_generator').any? 33 | GitHubChangelogGenerator::RakeTask.new :changelog do |config| 34 | raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil? 35 | config.user = "#{changelog_user}" 36 | config.project = "#{changelog_project}" 37 | config.future_release = "#{changelog_future_release}" 38 | config.exclude_labels = ['maintenance'] 39 | config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)." 40 | config.add_pr_wo_labels = true 41 | config.issues = false 42 | config.merge_prefix = "### UNCATEGORIZED PRS; GO LABEL THEM" 43 | config.configure_sections = { 44 | "Changed" => { 45 | "prefix" => "### Changed", 46 | "labels" => ["backwards-incompatible"], 47 | }, 48 | "Added" => { 49 | "prefix" => "### Added", 50 | "labels" => ["feature", "enhancement"], 51 | }, 52 | "Fixed" => { 53 | "prefix" => "### Fixed", 54 | "labels" => ["bugfix"], 55 | }, 56 | } 57 | end 58 | else 59 | desc 'Generate a Changelog from GitHub' 60 | task :changelog do 61 | raise <= Gem::Version.new('2.2.2')" 72 | EOM 73 | end 74 | end 75 | 76 | -------------------------------------------------------------------------------- /appveyor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: 1.1.x.{build} 3 | skip_commits: 4 | message: /^\(?doc\)?.*/ 5 | clone_depth: 10 6 | init: 7 | - SET 8 | - 'mkdir C:\ProgramData\PuppetLabs\code && exit 0' 9 | - 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0' 10 | - 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0' 11 | - 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0' 12 | environment: 13 | matrix: 14 | - 15 | RUBY_VERSION: 24-x64 16 | CHECK: syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop 17 | - 18 | PUPPET_GEM_VERSION: ~> 4.0 19 | RUBY_VERSION: 21 20 | CHECK: parallel_spec 21 | - 22 | PUPPET_GEM_VERSION: ~> 4.0 23 | RUBY_VERSION: 21-x64 24 | CHECK: parallel_spec 25 | - 26 | PUPPET_GEM_VERSION: ~> 5.0 27 | RUBY_VERSION: 24 28 | CHECK: parallel_spec 29 | - 30 | PUPPET_GEM_VERSION: ~> 5.0 31 | RUBY_VERSION: 24-x64 32 | CHECK: parallel_spec 33 | matrix: 34 | fast_finish: true 35 | 36 | install: 37 | - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH% 38 | - bundle install --jobs 4 --retry 2 --without system_tests 39 | - type Gemfile.lock 40 | build: off 41 | 42 | test_script: 43 | - bundle exec puppet -V 44 | - ruby -v 45 | - gem -v 46 | - bundle -v 47 | - bundle exec rake %CHECK% 48 | notifications: 49 | - provider: Email 50 | to: 51 | - nobody@nowhere.com 52 | on_build_success: false 53 | on_build_failure: false 54 | on_build_status_changed: false 55 | -------------------------------------------------------------------------------- /examples/init.pp: -------------------------------------------------------------------------------- 1 | include ::harden_windows_server 2 | -------------------------------------------------------------------------------- /files/auditDC.csv: -------------------------------------------------------------------------------- 1 | Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value 2 | ,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 3 | ,System,Audit Application Group Management,{0cce9239-69ae-11d9-bed3-505054503030},Success and Failure,,3 4 | ,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3 5 | ,System,Audit Distribution Group Management,{0cce9238-69ae-11d9-bed3-505054503030},Success and Failure,,3 6 | ,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3 7 | ,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3 8 | ,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 9 | ,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 10 | ,System,Audit Directory Service Access,{0cce923b-69ae-11d9-bed3-505054503030},Success and Failure,,3 11 | ,System,Audit Directory Service Changes,{0cce923c-69ae-11d9-bed3-505054503030},Success and Failure,,3 12 | ,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success,,1 13 | ,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1 14 | ,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 15 | ,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 16 | ,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 17 | ,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 18 | ,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 19 | ,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 20 | ,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3 21 | ,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 22 | ,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 23 | ,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3 24 | ,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 25 | -------------------------------------------------------------------------------- /files/auditMS.csv: -------------------------------------------------------------------------------- 1 | Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value 2 | ,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 3 | ,System,Audit Application Group Management,{0cce9239-69ae-11d9-bed3-505054503030},Success and Failure,,3 4 | ,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3 5 | ,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3 6 | ,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3 7 | ,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 8 | ,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 9 | ,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success,,1 10 | ,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1 11 | ,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 12 | ,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 13 | ,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 14 | ,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 15 | ,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 16 | ,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 17 | ,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3 18 | ,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 19 | ,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 20 | ,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3 21 | ,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 22 | -------------------------------------------------------------------------------- /hiera.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # basic, just for appveyor 3 | version: 5 4 | defaults: 5 | data_hash: yaml_data 6 | datadir: data 7 | -------------------------------------------------------------------------------- /manifests/init.pp: -------------------------------------------------------------------------------- 1 | #init.pp 2 | class harden_windows_server ( 3 | Boolean $is_domain_controller = false, 4 | #1 5 | Boolean $ensure_enforce_password_history_is_set_to_24_or_more_passwords = true, 6 | Boolean $ensure_maximum_password_age_is_set_to_60_or_fewer_days_but_not_0 = true, 7 | Boolean $ensure_minimum_password_age_is_set_to_1_or_more_days = true, 8 | Boolean $ensure_minimum_password_length_is_set_to_14_or_more_characters = true, 9 | Boolean $ensure_password_must_meet_complexity_requirements_is_set_to_enabled = true, 10 | Boolean $ensure_store_passwords_using_reversible_encryption_is_set_to_disabled = true, 11 | Boolean $ensure_account_lockout_duration_is_set_to_15_or_more_minutes = true, 12 | Boolean $ensure_account_lockout_threshold_is_set_to_10_or_fewer_invalid_logon_attempts_but_not_0 = true, 13 | Boolean $ensure_reset_account_lockout_counter_after_is_set_to_15_or_more_minutes = true, 14 | #2.2 15 | Boolean $ensure_access_credential_manager_as_a_trusted_caller_is_set_to_no_one = true, 16 | Boolean $configure_access_this_computer_from_the_network = true, 17 | Boolean $ensure_act_as_part_of_the_operating_system_is_set_to_no_one = true, 18 | Boolean $ensure_add_workstations_to_domain_is_set_to_administrators = true, 19 | Boolean $ensure_adjust_memory_quotas_for_a_process_is_set_to_administrators_local_service_network_service = true, 20 | Boolean $configure_allow_log_on_locally = true, 21 | Boolean $configure_allow_log_on_through_remote_desktop_services = true, 22 | Boolean $ensure_back_up_files_and_directories_is_set_to_administrators = true, 23 | Boolean $ensure_change_the_system_time_is_set_to_administrators_local_service = true, 24 | Boolean $ensure_change_the_time_zone_is_set_to_administrators_local_service = true, 25 | Boolean $ensure_create_a_pagefile_is_set_to_administrators = true, 26 | Boolean $ensure_create_a_token_object_is_set_to_no_one = true, 27 | Boolean $ensure_create_global_objects_is_set_to_administrators_local_service_network_service_service = true, 28 | Boolean $ensure_create_permanent_shared_objects_is_set_to_no_one = true, 29 | Boolean $configure_create_symbolic_links = true, 30 | Boolean $ensure_debug_programs_is_set_to_administrators = true, 31 | Boolean $configure_deny_access_to_this_computer_from_the_network = true, 32 | Boolean $ensure_deny_log_on_as_a_batch_job_to_include_guests = true, 33 | Boolean $ensure_deny_log_on_as_a_service_to_include_guests = true, 34 | Boolean $ensure_deny_log_on_locally_to_include_guests = true, 35 | Boolean $ensure_deny_log_on_through_remote_desktop_services_to_include_guests_local_account = true, 36 | Boolean $configure_enable_computer_and_user_acounts_to_be_trusted_for_delegation = true, 37 | Boolean $ensure_force_shutdown_from_a_remote_system_is_set_to_administrators = true, 38 | Boolean $ensure_generate_security_audits_is_set_to_local_service_network_service = true, 39 | Boolean $configure_impersonate_a_client_after_authentication = true, 40 | Boolean $ensure_increase_scheduling_priority_is_set_to_administrators = true, 41 | Boolean $ensure_load_and_unload_device_drivers_is_set_to_administrators = true, 42 | Boolean $ensure_lock_pages_in_menory_is_set_to_no_one = true, 43 | Boolean $ensure_log_on_as_a_batch_job_is_set_to_administrators = false, #LEVEL 2 44 | Boolean $configure_manage_auditing_and_security_log = true, 45 | Boolean $ensure_modify_an_object_label_is_set_to_no_one = true, 46 | Boolean $ensure_modify_firmware_environment_values_is_set_to_administrators = true, 47 | Boolean $ensure_perform_volume_maintenance_tasks_is_set_to_administrators = true, 48 | Boolean $ensure_profile_single_process_is_set_to_administrators = true, 49 | Boolean $ensure_profile_system_performance_is_set_to_administrators_nt_service_wdiservicehost = true, 50 | Boolean $ensure_replace_a_process_level_token_is_set_to_local_service_network_service = true, 51 | Boolean $ensure_restore_files_and_directories_is_set_to_administrators = true, 52 | Boolean $ensure_shut_down_the_system_is_set_to_administrators = true, 53 | Boolean $ensure_synchronize_directory_service_data_is_set_to_no_one = true, 54 | Boolean $ensure_take_ownership_of_files_or_other_objects_is_set_to_administrators = true, 55 | #2.3 56 | Boolean $ensure_accounts_administrator_account_status_is_set_to_disabled = true, 57 | Boolean $ensure_accounts_guest_account_status_is_set_to_disabled = true, 58 | Boolean $ensure_accounts_limit_local_account_use_of_blank_password_to_console_logon_only_is_set_to_enabled = true, 59 | Boolean $configure_accounts_rename_administrator_account = true, 60 | Boolean $configure_accounts_rename_guest_account = true, 61 | Boolean $ensure_audit_force_audit_policy_subcategory_settings_to_override_audit_policy_category_settings = true, 62 | Boolean $ensure_audit_shut_down_system_immediately_if_unable_to_log_security_audits_is_set_to_disabled = true, 63 | Boolean $ensure_devices_allowed_to_format_and_eject_removable_media_is_set_to_administrators = true, 64 | Boolean $ensure_devices_prevent_users_from_installing_printer_drivers_is_set_to_enabled = true, 65 | Boolean $ensure_domain_controller_allow_server_operators_to_schedule_tasks_is_set_to_disabled = true, 66 | Boolean $ensure_domain_controller_ldap_server_signing_requirements_is_set_to_require_signing = true, 67 | Boolean $ensure_domain_controller_refuse_machine_account_password_changes_is_set_to_disabled = true, 68 | Boolean $ensure_domain_member_digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_enabled = true, 69 | Boolean $ensure_domain_member_digitally_encrypt_or_sign_secure_channel_data_when_possible_is_set_to_enabled = true, 70 | Boolean $ensure_domain_member_digitally_sign_secure_channel_data_when_possible_is_set_to_enabled = true, 71 | Boolean $ensure_domain_member_disable_machine_account_password_changes_is_set_to_disabled = true, 72 | Boolean $ensure_domain_member_maximum_machine_account_password_age_is_set_to_30_or_fewer_days_but_not_0 = true, 73 | Boolean $ensure_domain_member_require_strong_session_key_windows_2000_or_later_is_set_to_enabled = true, 74 | Boolean $ensure_interactive_logon_do_not_display_last_user_name_is_set_to_enabled = true, 75 | Boolean $ensure_interactive_logon_do_not_require_ctrl_alt_del_is_set_to_disabled = true, 76 | Boolean $configure_interactive_logon_message_text_for_users_attempting_to_log_on = true, 77 | Boolean $configure_interactive_logon_message_title_for_users_attempting_to_log_on = true, 78 | Boolean $ensure_interactive_logon_number_of_previous_logons_to_cache_is_set_to_4_or_fewer_logons = false, #LEVEL 2 79 | Boolean $ensure_interactive_logon_prompt_user_to_change_password_before_expiration_is_set_to_between_5_and_14_days = true, 80 | Boolean $ensure_interactive_logon_require_domain_controller_authentication_to_unlock_workstation_is_set_to_enabled = true, 81 | Boolean $ensure_interactive_logon_smart_card_removal_behavior_is_set_to_lock_workstation_or_higher = true, 82 | Boolean $ensure_microsoft_network_client_digitally_sign_communications_always_is_set_to_enabled = true, 83 | Boolean $ensure_microsoft_network_client_digitally_sign_communications_if_server_agrees_is_set_to_enabled = true, 84 | Boolean $ensure_microsoft_network_client_send_unencrypted_password_to_third_party_smb_servers_is_set_to_disabled = true, 85 | Boolean $ensure_microsoft_network_server_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes = true, 86 | Boolean $ensure_microsoft_network_server_digitally_sign_communications_always_is_set_to_enabled = true, 87 | Boolean $ensure_microsoft_network_server_digitally_sign_communications_if_client_agrees_is_set_to_enabled = true, 88 | Boolean $ensure_microsoft_network_server_disconnect_clients_when_logon_hours_expire_is_set_to_enabled = true, 89 | Boolean $ensure_microsoft_network_server_spn_target_name_validation_level_is_set_to_accept_if_provided_by_client = true, 90 | Boolean $ensure_network_access_allow_anonymous_sid_name_tranlation_is_set_to_disabled = true, 91 | Boolean $ensure_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_is_set_to_enabled = true, 92 | Boolean $ensure_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shared_is_set_to_enabled = true, 93 | Boolean $ensure_network_access_do_not_allow_storage_of_password_and_credentials_for_authentication_is_set_to_enabled = false, #LEVEL 2 94 | Boolean $ensure_network_access_let_everyone_permissions_apply_to_anonymous_users_is_set_to_disabled = true, 95 | Boolean $configure_network_access_named_pipes_that_can_be_accessed_anonymously = true, 96 | Boolean $configure_network_access_remotely_accessible_registry_paths = true, 97 | Boolean $configure_network_access_remotely_accessible_registry_paths_and_sub_paths = true, 98 | Boolean $ensure_network_access_restrict_anonymous_access_to_named_pipes_and_shares_is_set_to_enabled = true, 99 | Boolean $ensure_network_access_shares_that_can_be_accessed_anonymously_is_set_to_none = true, 100 | Boolean $ensure_network_access_sharing_and_security_model_for_local_accounts_is_set_to_classic = true, 101 | Boolean $ensure_network_security_allow_local_system_to_use_computer_identity_for_ntlm_is_set_to_enabled = true, 102 | Boolean $ensure_network_security_allow_localsystem_null_session_fallback_is_set_to_disabled = true, 103 | Boolean $ensure_network_security_allow_pku2u_authentication_requests_to_use_online_identities_is_set_to_disabled = true, 104 | Boolean $ensure_network_security_configure_encryption_types_allow_for_kerberos = true, 105 | Boolean $ensure_network_security_do_not_store_lan_manager_hash_value_on_next_password_change_is_set_to_enabled = true, 106 | Boolean $ensure_network_security_force_logoff_when_logon_hours_expire_is_set_to_enabled = true, 107 | Boolean $ensure_network_security_lan_manager_authentication_level_is_set_to_send_ntlmv2_response_only = true, 108 | Boolean $ensure_network_security_ldap_client_signing_requirements_is_set_to_negotiate_signing = true, 109 | Boolean $ensure_network_security_minimum_session_security_for_ntlm_ssp_based_clients = true, 110 | Boolean $ensure_network_security_minimum_session_security_for_ntlm_ssp_based_servers = true, 111 | Boolean $ensure_shutdown_allow_system_to_be_shutdown_without_having_to_logon_is_set_to_disabled = true, 112 | Boolean $ensure_system_objects_require_case_insensitivity_for_non_windows_subsystems_is_enabled = true, 113 | Boolean $ensure_system_objects_strengthen_default_permissions_of_internal_system_objects_is_enabled = true, 114 | Boolean $ensure_system_settings_optional_subsystems_is_set_to_defined_blank = true, 115 | Boolean $ensure_user_account_control_admin_approval_mode_for_the_admin_account_is_enabled = true, 116 | Boolean $ensure_user_account_control_allow_uiaccess_applications_to_prompt_for_elevation_is_disabled = true, 117 | Boolean $ensure_user_account_control_behavior_of_the_elevation_prompt_for_administrators_in_admin_approval_mode = true, 118 | Boolean $ensure_user_account_control_behavior_of_the_elevation_prompt_for_standard_users = true, 119 | Boolean $ensure_user_account_control_detect_application_installations_and_prompt_for_elevation_is_enabled = true, 120 | Boolean $ensure_user_account_control_only_elevate_uiaccess_applications_that_are_installed_in_secure_locations = true, 121 | Boolean $ensure_user_account_control_run_all_administrators_in_admin_approval_mode_is_enabled = true, 122 | Boolean $ensure_user_account_control_switch_to_the_secure_desktop_when_prompting_for_elevation_is_enabled = true, 123 | Boolean $ensure_user_account_control_virtualize_file_and_registry_write_failures_to_per_user_location_is_enabled = true, 124 | #9 125 | Boolean $ensure_windows_firewall_domain_firewall_state_is_set_to_on_recommended = true, 126 | Boolean $ensure_windows_firewall_domain_inbound_connections_is_set_to_block_default = true, 127 | Boolean $ensure_windows_firewall_domain_outbound_connections_is_set_to_allow_default = true, 128 | Boolean $ensure_windows_firewall_domain_settings_display_a_notification_is_set_to_no = true, 129 | Boolean $ensure_windows_firewall_domain_settings_apply_local_firewall_rules_is_set_to_yes_default = true, 130 | Boolean $ensure_windows_firewall_domain_settings_apply_local_connection_security_rules_is_yes = true, 131 | Boolean $ensure_windows_firewall_domain_logging_name_is_set_to_domainfwlog = true, 132 | Boolean $ensure_windows_firewall_domain_logging_size_limit_is_16384_or_greater = true, 133 | Boolean $ensure_windows_firewall_domain_logging_log_dropped_packets_is_set_to_yes = true, 134 | Boolean $ensure_windows_firewall_domain_logging_log_successful_connections_is_set_to_yes = true, 135 | Boolean $ensure_windows_firewall_private_firewall_state_is_set_to_on_recommended = true, 136 | Boolean $ensure_windows_firewall_private_inbound_connections_is_set_to_block_default = true, 137 | Boolean $ensure_windows_firewall_private_outbound_connections_is_set_to_allow_default = true, 138 | Boolean $ensure_windows_firewall_private_settings_display_a_notification_is_set_to_no = true, 139 | Boolean $ensure_windows_firewall_private_settings_apply_local_firewall_rules_is_set_to_yes_default = true, 140 | Boolean $ensure_windows_firewall_private_settings_apply_local_connection_security_rules_is_set_to_yes_default = true, 141 | Boolean $ensure_windows_firewall_private_logging_name_is_set_to_privatefwlog = true, 142 | Boolean $ensure_windows_firewall_private_logging_size_limit_is_set_to_16384_or_greater = true, 143 | Boolean $ensure_windows_firewall_private_logging_log_dropped_packets_is_set_to_yes = true, 144 | Boolean $ensure_windows_firewall_private_logging_log_successful_connections_is_set_to_yes = true, 145 | Boolean $ensure_windows_firewall_public_firewall_state_is_set_to_on_recommended = true, 146 | Boolean $ensure_windows_firewall_public_inbound_connections_is_set_to_block_default = true, 147 | Boolean $ensure_windows_firewall_public_outbound_connections_is_set_to_allow_default = true, 148 | Boolean $ensure_windows_firewall_public_settings_display_a_notification_is_set_to_yes = true, 149 | Boolean $ensure_windows_firewall_public_settings_apply_local_firewall_rules_is_set_to_no = true, 150 | Boolean $ensure_windows_firewall_public_settings_apply_local_connection_security_rules_is_set_to_no = true, 151 | Boolean $ensure_windows_firewall_public_logging_name_is_set_to_publicfwlog = true, 152 | Boolean $ensure_windows_firewall_public_logging_size_limit_is_set_to_16384_or_greater = true, 153 | Boolean $ensure_windows_firewall_public_logging_log_dropped_packets_is_set_to_yes = true, 154 | Boolean $ensure_windows_firewall_public_logging_log_successful_connections_is_set_to_yes = true, 155 | #17 156 | Boolean $advanced_audit_policy_configuration = true, 157 | #18.2 158 | Boolean $ensure_laps_admpwd_gpo_extension_cse_is_installed = true, #MS ONLY 159 | Boolean $ensure_do_not_allow_password_expiration_time_longer_than_required_by_policy_is_set_to_enabled = true, 160 | Boolean $ensure_enable_local_admin_password_management_is_set_to_enabled = true, 161 | Boolean $ensure_password_settings_password_complexity_is_set_to_enabled_large_letters_small_letters_numbers_special_characters = true, 162 | Boolean $ensure_password_settings_password_length_is_set_to_enabled_15_or_more = true, 163 | Boolean $ensure_password_settings_password_age_days_is_set_to_enabled_30_or_fewer = true, 164 | #18.3 165 | Boolean $ensure_mss_autoadminlogon_enable_automatic_logon_not_recommended_is_set_to_disabled = true, 166 | Boolean $ensure_mss_disableipsourcerouting_ipv6_ip_source_routing_protection_level_is_set_to_enabled_highest_protection_source_routing_disabled = true, 167 | Boolean $ensure_mss_disableipsourcerouting_ip_source_routing_protection_level_is_set_to_enabled_highest_protection_source_routing_disabled = true, 168 | Boolean $ensure_mss_enableicmpredirect_allow_icmp_redirects_to_override_ospf_generated_routes_is_set_to_disabled = true, 169 | Boolean $ensure_mss_keepalivetime_how_often_keepalive_packets_are_sent_in_millisecondsis_set_to_enabled_300000_or_5_minutes = false, #LEVEL 2 170 | Boolean $ensure_mss_nonamereleaseondemand_allow_the_computer_to_ignore_netbios_name_release_requests_except_from_wins_server_is_enabled = true, 171 | Boolean $ensure_mss_performrouterdiscovery_allow_irdp_to_detect_and_configure_default_gateway_addresses_is_set_to_disabled = false, #LEVEL 2 172 | Boolean $ensure_mss_safediisearchmode_enable_safe_dll_search_mode_is_set_to_enabled = true, 173 | Boolean $ensure_mss_screensavergraceperiod_the_time_in_seconds_before_the_screen_saver_grace_period_expired_is_set_to_enabled_5_or_fewer = true, 174 | Boolean $ensure_mss_tcpmaxdataretranmissions_ipv6_how_many_times_unacknowledged_data_is_retransmitted_is_set_to_enabled_3 = true, 175 | Boolean $ensure_mss_tcpmaxdataretransmissions_how_many_times_unacknowledged_data_is_retransmitted_is_set_to_enabled_3 = true, 176 | Boolean $ensure_mss_warninglevel_percentage_threshold_for_the_security_event_log_is_set_to_enabled_90_or_less = true, 177 | #18.4 - 18.6 178 | Boolean $ensure_turn_on_mapper_io_lltdio_driver_is_set_to_disabled = false, #LEVEL 2 179 | Boolean $ensure_turn_on_responder_rspndr_driver_is_set_to_disabled = false, #LEVEL 2 180 | Boolean $ensure_turn_off_microsoft_peer_to_peer_networking_services_is_set_to_enabled = false, #LEVEL 2 181 | Boolean $ensure_prohibit_installation_and_configuration_of_network_bridge_on_your_dns_domain_network_is_set_to_enabled = true, 182 | Boolean $ensure_require_domain_users_to_elevate_when_setting_a_networks_location_is_set_to_enabled = true, 183 | Boolean $ensure_hardened_unc_paths_is_set_to_enabled_with_require_mutual_authentication_and_require_integrity_for_all_netlogon_and_sysvol_shares = true, 184 | Boolean $disable_ipv6_ensure_tcpip6_parameter_disabledcomponents_is_set_to_0xff255 = false, #LEVEL 2 185 | Boolean $ensure_configuration_of_wireless_settings_using_windows_connect_now_is_set_to_disabled = false, #LEVEL 2 186 | Boolean $ensure_prohibit_access_of_the_windows_connect_now_wizards_is_set_to_enabled = false, #LEVEL 2 187 | Boolean $ensure_apply_uac_restrictions_to_local_accounts_on_network_logons_is_set_to_enabled = true, 188 | Boolean $ensure_wdigest_authentication_is_set_to_disabled = true, 189 | #18.8 190 | Boolean $ensure_include_command_line_in_process_creation_events_is_set_to_disabled = true, 191 | Boolean $ensure_allow_remote_access_to_the_plug_and_play_interface_is_set_to_disabled = true, 192 | Boolean $ensure_configure_registry_policy_processing_do_not_apply_during_periodic_background_processing_is_set_to_enabled_false = true, 193 | Boolean $ensure_configure_registry_policy_processing_process_even_if_the_group_policy_objects_have_not_changed_is_set_to_enabled_true = true, 194 | Boolean $ensure_turn_off_background_refresh_of_group_policy_is_set_to_disabled = true, 195 | Boolean $ensure_turn_off_downloading_of_print_drivers_over_http_is_set_to_enabled = false, #LEVEL 2 196 | Boolean $ensure_turn_off_handwriting_personalization_data_sharing_is_set_to_enabled = false, #LEVEL 2 197 | Boolean $ensure_turn_off_handwriting_recognition_error_reporting_is_set_to_enabled = false, #LEVEL 2 198 | Boolean $ensure_turn_off_internet_connection_wizard_if_url_connection_is_referring_to_microsoftcom_is_set_to_enabled = false, #LEVEL 2 199 | Boolean $ensure_turn_off_internet_download_for_web_publishing_and_online_ordering_wizards_is_set_to_enabled = false, #LEVEL 2 200 | Boolean $ensure_turn_off_internet_file_association_service_is_set_to_enabled = false, #LEVEL 2 201 | Boolean $ensure_turn_off_printing_over_http_is_set_to_enabled = false, #LEVEL 2 202 | Boolean $ensure_turn_off_registration_if_url_connection_is_referring_to_microsoftcom_is_set_to_enabled = false, #LEVEL 2 203 | Boolean $ensure_turn_off_search_companion_content_file_updates_is_set_to_enabled = false, #LEVEL 2 204 | Boolean $ensure_turn_off_the_order_prints_picture_task_is_set_to_enabled = false, #LEVEL 2 205 | Boolean $ensure_turn_off_the_publish_to_web_task_for_files_and_folders_is_set_to_enabled = false, #LEVEL 2 206 | Boolean $ensure_turn_off_the_windows_messenger_customer_experience_improvement_program_is_set_to_enabled = false, #LEVEL 2 207 | Boolean $ensure_turn_off_windows_customer_experience_improvement_program_is_set_to_enabled = false, #LEVEL 2 208 | Boolean $ensure_turn_off_windows_error_reporting_is_set_to_enabled = false, #LEVEL 2 209 | Boolean $ensure_always_use_classic_logon = true, #MS ONLY 210 | Boolean $ensure_require_a_password_when_a_computer_wakes_on_battery_is_set_to_enabled = false, #LEVEL 2 211 | Boolean $ensure_require_a_password_when_a_computer_wakes_plugged_in_is_set_to_enabled = false, #LEVEL 2 212 | Boolean $ensure_configure_offer_remote_assistance_is_set_to_disabled = true, 213 | Boolean $ensure_configure_solicited_remote_assistance_is_set_to_disabled = true, 214 | Boolean $ensure_enable_rpc_endpoint_mapper_client_authentication_is_set_to_enabled = true, #MS ONLY 215 | Boolean $ensure_restrict_unauthenticated_rpc_clients_is_set_to_enabled_authenticatied = false, #LEVEL 2 MS ONLY 216 | Boolean $ensure_microsoft_support_diagnostic_tool_turn_on_msdt_interactive_communication_with_support_provider_is_set_to_disabled = false, #LEVEL 2 217 | Boolean $ensure_enable_disable_perftrack_is_set_to_disabled = false, #LEVEL 2 218 | Boolean $ensure_enable_windows_ntp_client_is_set_to_enabled = false, #LEVEL 2 219 | Boolean $ensure_enable_windows_ntp_server_is_set_to_disabled = false, #LEVEL 2 MS ONLY 220 | #18.9 221 | Boolean $ensure_disallow_autoplay_for_non_volume_devices_is_set_to_enabled = true, 222 | Boolean $ensure_set_the_default_behavior_for_autorun_is_set_to_enabled_do_not_execute_any_autorun_commands = true, 223 | Boolean $ensure_turn_off_autoplay_is_set_to_enabled_all_drives = true, 224 | Boolean $ensure_do_not_display_the_password_reveal_button_is_set_to_enabled = true, 225 | Boolean $ensure_enumerate_administrator_accounts_on_elevation_is_set_to_disabled = true, 226 | Boolean $ensure_turn_off_desktop_gadgets_is_set_to_enabled = true, 227 | Boolean $ensure_turn_off_user_installed_desktop_gadgets_is_set_to_enabled = true, 228 | Boolean $ensure_emet_551_or_higher_is_installed = true, 229 | Boolean $ensure_default_action_and_mitigation_settings_is_set_to_enabled_plus_subsettings = true, 230 | Boolean $ensure_default_protections_for_internet_explorer_is_set_to_enabled = true, 231 | Boolean $ensure_default_protections_for_popular_software_is_set_to_enabled = true, 232 | Boolean $ensure_default_protections_for_recommended_software_is_set_to_enabled = true, 233 | Boolean $ensure_system_aslr_is_set_to_enabled_application_opt_in = true, 234 | Boolean $ensure_system_dep_is_set_to_enabled_application_opt_out = true, 235 | Boolean $ensure_system_sehop_is_set_to_enabled_application_opt_out = true, 236 | Boolean $ensure_application_control_event_log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_disabled = true, 237 | Boolean $ensure_application_specify_the_maximum_log_file_size_kb_is_set_to_enabled_32768_or_greater = true, 238 | Boolean $ensure_security_control_event_log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_disabled = true, 239 | Boolean $ensure_security_specify_the_maximum_log_file_size_kb_is_set_to_enabled_196608_or_greater = true, 240 | Boolean $ensure_setup_control_event_log_behavior_when_the_log_reaches_its_maximum_size_is_set_to_disabled = true, 241 | Boolean $ensure_setup_specify_the_maximum_log_file_size_kb_is_set_to_enabled_32768_or_greater = true, 242 | Boolean $ensure_system_control_event_log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_disabled = true, 243 | Boolean $ensure_system_specify_the_maximum_log_file_size_kb_is_set_to_enabled_32768_or_greater = true, 244 | Boolean $ensure_turn_off_data_execution_prevention_for_explorer_is_set_to_disabled = true, 245 | Boolean $ensure_turn_off_heap_termination_on_corruption_is_set_to_disabled = true, 246 | Boolean $ensure_turn_off_shell_protocol_proteted_mode_is_set_to_disabled = true, 247 | Boolean $ensure_turn_off_location_is_set_to_enabled = false, #LEVEL 2 248 | Boolean $ensure_prevent_the_usage_of_onedrive_for_filestorage_is_set_to_enabled = true, 249 | Boolean $ensure_prevent_the_usage_of_onedrive_for_file_storage_on_windows_81_is_set_to_enabled = true, 250 | Boolean $ensure_do_not_allow_passwords_to_be_saved_is_set_to_enabled = true, 251 | Boolean $ensure_restrict_remote_desktop_services_users_to_a_single_remote_desktop_services_session_is_set_to_enabled = false, #LEVEL 2 252 | Boolean $ensure_do_not_allow_com_port_redirection_is_set_to_enabled = false, #LEVEL 2 253 | Boolean $ensure_do_not_allow_drive_redirection_is_set_to_enabled = true, 254 | Boolean $ensure_do_not_allow_lpt_port_redirection_is_set_to_enabled = false, #LEVEL 2 255 | Boolean $ensure_do_not_allow_supported_plug_and_play_device_redirection_is_set_to_enabled = false, #LEVEL 2 256 | Boolean $ensure_always_prompt_for_password_upon_connection_is_set_to_enabled = true, 257 | Boolean $ensure_require_secure_rpc_communication_is_set_to_enabled = true, 258 | Boolean $ensure_set_client_connection_encryption_level_is_set_to_enabled_high_level = true, 259 | Boolean $ensure_set_time_limit_for_active_but_idle_remote_desktop_services_sessions_is_set_to_enabled_15_minutes_or_less = false, #LEVEL 2 260 | Boolean $ensure_set_time_limit_for_disconnected_sessions_is_set_to_enabled_1_minute = false, #LEVEL 2 261 | Boolean $ensure_do_not_delete_temp_folders_upon_exit_is_set_to_disabled = true, 262 | Boolean $ensure_do_not_use_temporary_folders_per_session_is_set_to_disabled = true, 263 | Boolean $ensure_prevent_downloading_of_enclosures_is_set_to_enabled = true, 264 | Boolean $ensure_allow_indexing_of_encrypted_files_is_set_to_disabled = true, 265 | Boolean $ensure_join_microsoft_maps_is_set_to_disabled = false, #LEVEL 2 266 | Boolean $ensure_configure_default_consent_is_set_to_enabled_always_ask_before_sending_data = true, 267 | Boolean $ensure_allow_user_control_over_installs_is_set_to_disabled = true, 268 | Boolean $ensure_always_install_with_elevated_privileges_is_set_to_disabled = true, 269 | Boolean $ensure_prevent_internet_explorer_security_prompt_for_windows_installer_scripts_is_set_to_disabled = false, #LEVEL 2 270 | Boolean $ensure_turn_on_powershell_script_block_logging_is_set_to_disabled = true, 271 | Boolean $ensure_turn_on_powershell_transcription_is_set_to_disabled = true, 272 | Boolean $ensure_winrm_client_allow_basic_authentication_is_set_to_disabled = true, 273 | Boolean $ensure_winrm_client_allow_unencrypted_traffic_is_set_to_disabled = true, 274 | Boolean $ensure_disallow_digest_authentication_is_set_to_enabled = true, 275 | Boolean $ensure_winrm_service_allow_basic_authentication_is_set_to_disabled = true, 276 | Boolean $ensure_allow_remote_server_management_through_winrm_is_set_to_disabled = false, #LEVEL 2 277 | Boolean $ensure_winrm_service_allow_unencrypted_traffic_is_set_to_disabled = true, 278 | Boolean $ensure_disallow_winrm_from_storing_runas_credentials_is_set_to_enabled = true, 279 | Boolean $ensure_allow_remote_shell_access_is_set_to_disabled = false, #LEVEL 2 280 | Boolean $ensure_configure_automatic_updates_is_set_to_enabled = true, 281 | Boolean $ensure_configure_automatic_updates_scheduled_install_day_is_set_to_0_every_day = true, 282 | Boolean $ensure_do_not_adjust_default_option_to_install_updates_and_shut_down_in_shut_down_windows_dialog_box_is_set_to_disabled = true, 283 | Boolean $ensure_do_not_display_install_updates_and_shut_down_option_in_shut_down_windows_dialog_box_is_set_to_disabled = true, 284 | Boolean $ensure_no_auto_restart_with_logged_on_users_for_scheduled_automatic_updates_installations_is_set_to_disabled = true, 285 | Boolean $ensure_reschedule_automatic_updates_scheduled_installations_is_set_to_enabled_1_minute = true, 286 | #19 287 | Boolean $ensure_enable_screen_saver_is_set_to_enabled = true, 288 | Boolean $ensure_force_specific_screen_saver_screen_saver_executable_name_is_set_to_enabled_scrnsavescr = true, 289 | Boolean $ensure_password_protect_the_screen_saver_is_set_to_enabled = true, 290 | Boolean $ensure_screen_saver_timeout_is_set_to_enabled_900_seconds_or_fewer_but_not_0 = true, 291 | Boolean $ensure_turn_off_help_experience_improvement_program_is_set_to_enabled = false, # LEVEL 2 292 | Boolean $ensure_do_not_preserve_zone_information_in_file_attachments_is_set_to_disabled = true, 293 | Boolean $ensure_notify_antivirus_programs_when_opening_attachments_is_set_to_enabled = true, 294 | Boolean $ensure_prevent_users_from_sharing_files_within_their_profile_is_set_to_enabled = true, 295 | Boolean $ensure_always_install_with_elevated_privileges_is_set_to_disabled_windows_installer = true, 296 | Boolean $ensure_prevent_codec_download_is_set_to_enabled = false, #LEVEL 2 297 | ) { 298 | 299 | include ::harden_windows_server::configure 300 | } 301 | -------------------------------------------------------------------------------- /metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "autostructure-harden_windows_server", 3 | "version": "0.1.23", 4 | "author": "Autostructure", 5 | "summary": "Hardens Windows Server 2008 R2", 6 | "license": "Apache-2.0", 7 | "source": "https://github.com/autostructure/harden_windows_server", 8 | "project_page": "https://github.com/autostructure/harden_windows_server", 9 | "issues_url": "https://github.com/autostructure/harden_windows_server", 10 | "dependencies": [ 11 | { 12 | "name": "puppetlabs/stdlib", 13 | "version_requirement": ">=4.20.0 < 5.0.0" 14 | }, 15 | { 16 | "name": "kpn/local_security_policy", 17 | "version_requirement": ">=3.1.1 < 4.0.0" 18 | }, 19 | { 20 | "name": "autostructure-auditpol", 21 | "version_requirement": ">=1.0.0 < 2.0.0" 22 | }, 23 | { 24 | "name": "puppetlabs-registry", 25 | "version_requirement": ">=2.0.2 < 3.0.0" 26 | } 27 | ], 28 | "operatingsystem_support": [ 29 | { 30 | "operatingsystem": "Windows", 31 | "operatingsystemrelease": [ 32 | "2008 R2" 33 | ] 34 | } 35 | ], 36 | "requirements": [ 37 | { 38 | "name": "puppet", 39 | "version_requirement": ">= 4.7.0 < 6.0.0" 40 | } 41 | ], 42 | "description": "Harden Windows Server", 43 | "pdk-version": "1.6.1", 44 | "template-url": "file:///opt/puppetlabs/pdk/share/cache/pdk-templates.git", 45 | "template-ref": "1.6.1-0-g6b0d497" 46 | } 47 | -------------------------------------------------------------------------------- /spec/acceptance/harden_spec.rb: -------------------------------------------------------------------------------- 1 | # module_root/spec/acceptance/standard_spec.rb 2 | require 'spec_helper_acceptance' 3 | 4 | describe 'init class' do 5 | context 'default parameters' do 6 | # Using puppet_apply as a helper 7 | it 'works with no errors based on the example' do 8 | pp = <<-PP 9 | class { 'harden_windows_server': } 10 | PP 11 | 12 | # Run it twice and test for idempotency 13 | 14 | apply_manifest(pp, catch_failures: true) 15 | expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero 16 | 17 | # expect(apply_manifest(pp).exit_code).to_not eq(1) 18 | # expect(apply_manifest(pp).exit_code).to eq(0) 19 | end 20 | end 21 | end 22 | -------------------------------------------------------------------------------- /spec/acceptance/nodesets/windows2008r2.yml: -------------------------------------------------------------------------------- 1 | HOSTS: 2 | win-2008R2-std: 3 | roles: 4 | - default 5 | - agent 6 | platform: windows-server-amd64 7 | box: opentable/win-2008r2-standard-amd64-nocm 8 | hypervisor: vagrant 9 | user: vagrant 10 | password: password 11 | is_cygwin: false 12 | -------------------------------------------------------------------------------- /spec/default_facts.yml: -------------------------------------------------------------------------------- 1 | # Use default_module_facts.yml for module specific facts. 2 | # 3 | # Facts specified here will override the values provided by rspec-puppet-facts. 4 | --- 5 | concat_basedir: "/tmp" 6 | ipaddress: "172.16.254.254" 7 | is_pe: false 8 | macaddress: "AA:AA:AA:AA:AA:AA" 9 | -------------------------------------------------------------------------------- /spec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | 2 | require 'puppetlabs_spec_helper/module_spec_helper' 3 | require 'rspec-puppet-facts' 4 | 5 | begin 6 | require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) 7 | rescue LoadError => loaderror 8 | warn "Could not require spec_helper_local: #{loaderror.message}" 9 | end 10 | 11 | include RspecPuppetFacts 12 | 13 | default_facts = { 14 | puppetversion: Puppet.version, 15 | facterversion: Facter.version, 16 | } 17 | 18 | default_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')) 19 | default_module_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')) 20 | 21 | if File.exist?(default_facts_path) && File.readable?(default_facts_path) 22 | default_facts.merge!(YAML.safe_load(File.read(default_facts_path))) 23 | end 24 | 25 | if File.exist?(default_module_facts_path) && File.readable?(default_module_facts_path) 26 | default_facts.merge!(YAML.safe_load(File.read(default_module_facts_path))) 27 | end 28 | 29 | RSpec.configure do |c| 30 | c.default_facts = default_facts 31 | c.before :each do 32 | # set to strictest setting for testing 33 | # by default Puppet runs at warning level 34 | Puppet.settings[:strict] = :warning 35 | end 36 | end 37 | 38 | def ensure_module_defined(module_name) 39 | module_name.split('::').reduce(Object) do |last_module, next_module| 40 | last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module) 41 | last_module.const_get(next_module) 42 | end 43 | end 44 | 45 | # 'spec_overrides' from sync.yml will appear below this line 46 | -------------------------------------------------------------------------------- /spec/spec_helper_acceptance.rb: -------------------------------------------------------------------------------- 1 | require 'beaker-rspec/spec_helper' 2 | require 'beaker-rspec/helpers/serverspec' 3 | require 'beaker/puppet_install_helper' 4 | 5 | hosts.each do |host| 6 | install_puppet_agent_on(host) 7 | end 8 | 9 | RSpec.configure do |c| 10 | # Project root 11 | proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) 12 | 13 | # Readable test descriptions 14 | c.formatter = :documentation 15 | 16 | # Configure all nodes in nodeset 17 | c.before :suite do 18 | # Install module and dependencies 19 | puppet_module_install(source: proj_root, module_name: 'harden_windows_server') 20 | hosts.each do |host| 21 | on host, puppet('module', 'install', 'puppetlabs-stdlib'), acceptable_exit_codes: [0, 1] 22 | on host, puppet('module', 'install', 'puppetlabs-registry'), acceptable_exit_codes: [0, 1] 23 | on host, puppet('module', 'install', 'ayohrling-local_security_policy'), acceptable_exit_codes: [0, 1] 24 | on host, puppet('module', 'install', 'jonono-auditpol'), acceptable_exit_codes: [0, 1] 25 | end 26 | end 27 | end 28 | --------------------------------------------------------------------------------