/SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies

Primary LanguagePowerShellMIT LicenseMIT

SecurityPolicyDsc

A wrapper around secedit.exe to allow you to configure local security policies. This resource requires a Windows OS with secedit.exe.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

How to Contribute

If you would like to contribute to this repository, please read the DSC Resource Kit contributing guidelines.

Resources

  • UserRightsAssignment: Configures user rights assignments in local security policies.
  • SecurityTemplate: Configures user rights assignments that are defined in an INF file.
  • AccountPolicy: Configures the policies under the Account Policy node in local security policies.
  • SecurityOption: Configures the policies under the Security Options node in local security policies.

UserRightsAssignment

  • Policy: The policy name of the user rights assignment to be configured.
  • Identity: The identity of the user or group to be added or removed from the user rights assignment.
  • Force: Specifies to explicitly assign only the identities defined.

SecurityTemplate

  • Path: Path to an INF file that defines the desired security policies.

AccountPolicy

  • Name: A unique name of the AccountPolicy resource instance. This is not used during configuration but needed to ensure the resource configuration is unique.

For explanation of below settings, please consult Account Policies Reference

  • [String] Enforce_password_history (Write) : Please see the link above for a full description. { Passwords Remembered }
  • [String] Maximum_Password_Age (Write) : Please see the link above for a full description. { days }
  • [String] Minimum_Password_Age (Write) : Please see the link above for a full description. { days }
  • [String] Minimum_Password_Length (Write) : Please see the link above for a full description. { Character Count }
  • [String] Password_must_meet_complexity_requirements (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Store_passwords_using_reversible_encryption (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Account_lockout_duration (Write) : Please see the link above for a full description. { minutes }
  • [String] Account_lockout_threshold (Write) : Please see the link above for a full description. { invalid logon attempts}
  • [String] Reset_account_lockout_counter_after (Write) : Please see the link above for a full description. { minutes }

(Note: The below settings pertain to Kerberos policies and must be set by a member in the domain admins group.

  • [String] Enforce_user_logon_restrictions (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Maximum_lifetime_for_service_ticket (Write) : Please see the link above for a full description. { minutes }
  • [String] Maximum_lifetime_for_user_ticket_renewal (Write) : Please see the link above for a full description. { days }
  • [String] Maximum_lifetime_for_user_ticket (Write) : Please see the link above for a full description. { hours }
  • [String] Maximum_tolerance_for_computer_clock_synchronization (Write) : Please see the link above for a full description. { minutes }

SecurityOption

  • Name: Name of security option configuration. This is not used during the configuration process but needed to ensure the resource configuration instance is unique.

For explanation of below settings, please consult Security Options Reference

  • [String] Accounts_Administrator_account_status (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Accounts_Block_Microsoft_accounts (Write) : Please see the link above for a full description. { This policy is disabled | Users cant add Microsoft accounts | Users cant add or log on with Microsoft accounts }
  • [String] Accounts_Guest_account_status (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Accounts_Rename_administrator_account (Write) : Please see the link above for a full description. { String }
  • [String] Accounts_Rename_guest_account (Write) : Please see the link above for a full description. { String }
  • [String] Audit_Audit_the_access_of_global_system_objects (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Audit_Audit_the_use_of_Backup_and_Restore_privilege (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Audit_Shut_down_system_immediately_if_unable_to_log_security_audits (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] DCOM_Machine_Access_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax (Write) : Please see the link above for a full description. { String }
  • [String] DCOM_Machine_Launch_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax (Write) : Please see the link above for a full description. { String }
  • [String] Devices_Allow_undock_without_having_to_log_on (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Devices_Allowed_to_format_and_eject_removable_media (Write) : Please see the link above for a full description. { Administrators and Interactive Users | Administrators | Administrators and Power Users }
  • [String] Devices_Prevent_users_from_installing_printer_drivers (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Devices_Restrict_CD_ROM_access_to_locally_logged_on_user_only (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Devices_Restrict_floppy_access_to_locally_logged_on_user_only (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Domain_controller_Allow_server_operators_to_schedule_tasks (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Domain_controller_LDAP_server_signing_requirements (Write) : Please see the link above for a full description. { None | Require Signing }
  • [String] Domain_controller_Refuse_machine_account_password_changes (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Domain_member_Digitally_encrypt_secure_channel_data_when_possible (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Domain_member_Digitally_sign_secure_channel_data_when_possible (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Domain_member_Disable_machine_account_password_changes (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Domain_member_Maximum_machine_account_password_age (Write) : Please see the link above for a full description. { String }
  • [String] Domain_member_Require_strong_Windows_2000_or_later_session_key (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Interactive_logon_Display_user_information_when_the_session_is_locked (Write) : Please see the link above for a full description. { User displayname, domain and user names | Do not display user information | User display name only }
  • [String] Interactive_logon_Do_not_display_last_user_name (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Interactive_logon_Do_not_require_CTRL_ALT_DEL (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Interactive_logon_Machine_account_lockout_threshold (Write) : Please see the link above for a full description. { String }
  • [String] Interactive_logon_Machine_inactivity_limit (Write) : Please see the link above for a full description. { String }
  • [String] Interactive_logon_Message_text_for_users_attempting_to_log_on (Write) : Please see the link above for a full description. { String }
  • [String] Interactive_logon_Message_title_for_users_attempting_to_log_on (Write) : Please see the link above for a full description. { String }
  • [String] Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available (Write) : Please see the link above for a full description. { String }
  • [String] Interactive_logon_Prompt_user_to_change_password_before_expiration (Write) : Please see the link above for a full description. { String }
  • [String] Interactive_logon_Require_Domain_Controller_authentication_to_unlock_workstation (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Interactive_logon_Require_smart_card (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Interactive_logon_Smart_card_removal_behavior (Write) : Please see the link above for a full description. { Lock workstation | Force logoff | Disconnect if a remote Remote Desktop Services session | No Action }
  • [String] Microsoft_network_client_Digitally_sign_communications_always (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Microsoft_network_client_Digitally_sign_communications_if_server_agrees (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session (Write) : Please see the link above for a full description. { String }
  • [String] Microsoft_network_server_Attempt_S4U2Self_to_obtain_claim_information (Write) : Please see the link above for a full description. { Default | Disabled | Enabled }
  • [String] Microsoft_network_server_Digitally_sign_communications_always (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Microsoft_network_server_Digitally_sign_communications_if_client_agrees (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Microsoft_network_server_Disconnect_clients_when_logon_hours_expire (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Microsoft_network_server_Server_SPN_target_name_validation_level (Write) : Please see the link above for a full description. { Off | Required from client | Accept if provided by the client }
  • [String] Network_access_Allow_anonymous_SID_Name_translation (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_access_Let_Everyone_permissions_apply_to_anonymous_users (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_access_Named_Pipes_that_can_be_accessed_anonymously (Write) : Please see the link above for a full description. { String }
  • [String] Network_access_Remotely_accessible_registry_paths (Write) : Please see the link above for a full description. { String }
  • [String] Network_access_Remotely_accessible_registry_paths_and_subpaths (Write) : Please see the link above for a full description. { String }
  • [String] Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String[]] Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM (Write) : Please see the link above for a full description.
  • [String] Network_access_Shares_that_can_be_accessed_anonymously (Write) : Please see the link above for a full description. { String }
  • [String] Network_access_Sharing_and_security_model_for_local_accounts (Write) : Please see the link above for a full description. { Guest only - Local users authenticate as Guest | Classic - Local users authenticate as themselves }
  • [String] Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_security_Allow_LocalSystem_NULL_session_fallback (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_security_Configure_encryption_types_allowed_for_Kerberos (Write) : Please see the link above for a full description. { AES256_HMAC_SHA1 | DES_CBC_MD5 | FUTURE | AES128_HMAC_SHA1 | DES_CBC_CRC | RC4_HMAC_MD5 | FUTURE }
  • [String] Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_security_Force_logoff_when_logon_hours_expire (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Network_security_LAN_Manager_authentication_level (Write) : Please see the link above for a full description. { Send NTLMv2 responses only. Refuse LM | Send NTLMv2 responses only. Refuse LM & NTLM | Send LM & NTLM responses | Send LM & NTLM - use NTLMv2 session security if negotiated | Send NTLMv2 responses only | Send NTLM responses only }
  • [String] Network_security_LDAP_client_signing_requirements (Write) : Please see the link above for a full description. { Negotiate Signing | Require Signing | None }
  • [String] Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients (Write) : Please see the link above for a full description. { Require 128-bit encryption | Require NTLMv2 session security | Both options checked }
  • [String] Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers (Write) : Please see the link above for a full description. { Require 128-bit encryption | Require NTLMv2 session security | Both options checked }
  • [String] Network_security_Restrict_NTLM_Add_remote_server_exceptions_for_NTLM_authentication (Write) : Please see the link above for a full description. { String }
  • [String] Network_security_Restrict_NTLM_Add_server_exceptions_in_this_domain (Write) : Please see the link above for a full description. { String }
  • [String] Network_Security_Restrict_NTLM_Audit_Incoming_NTLM_Traffic (Write) : Please see the link above for a full description. { Deny all | Deny for domain accounts | Deny for domain servers | Disable | Deny for domain accounts to domain servers }
  • [String] Network_Security_Restrict_NTLM_Audit_NTLM_authentication_in_this_domain (Write) : Please see the link above for a full description. { Deny all | Audit all | Allow all }
  • [String] Network_Security_Restrict_NTLM_Incoming_NTLM_Traffic (Write) : Please see the link above for a full description. { Enable auditing for domain accounts | Enable auditing for all accounts | Disabled }
  • [String] Network_Security_Restrict_NTLM_NTLM_authentication_in_this_domain (Write) : Please see the link above for a full description. { Enable all | Enable for domain accounts | Enable for domain servers | Disable | Enable for domain accounts to domain servers }
  • [String] Network_Security_Restrict_NTLM_Outgoing_NTLM_traffic_to_remote_servers (Write) : Please see the link above for a full description. { Deny all accounts | Deny all domain accounts | Allow all }
  • [String] Recovery_console_Allow_automatic_administrative_logon (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Recovery_console_Allow_floppy_copy_and_access_to_all_drives_and_folders (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] Shutdown_Clear_virtual_memory_pagefile (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] System_cryptography_Force_strong_key_protection_for_user_keys_stored_on_the_computer (Write) : Please see the link above for a full description. { User input is not required when new keys are stored and used | User must enter a password each time they use a key | User is prompted when the key is first used }
  • [String] System_cryptography_Use_FIPS_compliant_algorithms_for_encryption_hashing_and_signing (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] System_objects_Require_case_insensitivity_for_non_Windows_subsystems (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] System_settings_Optional_subsystems (Write) : Please see the link above for a full description. { String }
  • [String] System_settings_Use_Certificate_Rules_on_Windows_Executables_for_Software_Restriction_Policies (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode (Write) : Please see the link above for a full description. { Elevate without prompting | Prompt for consent | Prompt for credentials on the secure desktop | Prompt for credentials | Prompt for consent for non-Windows binaries | Prompt for consent on the secure desktop }
  • [String] User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users (Write) : Please see the link above for a full description. { Prompt for crendentials | Prompt for credentials on the secure desktop | Automatically deny elevation request }
  • [String] User_Account_Control_Detect_application_installations_and_prompt_for_elevation (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] User_Account_Control_Only_elevate_executables_that_are_signed_and_validated (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation (Write) : Please see the link above for a full description. { Disabled | Enabled }
  • [String] User_Account_Control_Virtualize_file_and_registry_write_failures_to_per_user_locations (Write) : Please see the link above for a full description. { Disabled | Enabled }

Branches

master

Build status codecov

This is the branch containing the latest release - no contributions should be made directly to this branch.

dev

Build status codecov

This is the development branch to which contributions should be proposed by contributors as pull requests. This development branch will periodically be merged to the master branch, and be released to PowerShell Gallery.

Change log

A full list of changes in each version can be found in the change log.