When I showcased DSC to our security team, I also built another wrapper of secedit.exe.
I took the same quick’n dirty approach as the audit policy DSC script from my previous post. Again, only a File and a Script DSC resources are involved in the configuration.
Note that there’s also a limitation in my code.
Secedit.exe can handle more than just the local security policy.
There are other areas it can cover: restricted group settings, user logon rights,…
To get the security baseline I first exported the local security policy to a file like this:
secedit.exe /export /Cfg C:\secpol.txt /areas SECURITYPOLICY
… and I copied/pasted the content of the resulting C:\secpol.txt into to Content property of my File resource.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#region secedit | |
Script SeceditPolicy { | |
GetScript = { | |
@{ | |
GetScript = $GetScript | |
SetScript = $SetScript | |
TestScript = $TestScript | |
Result = (&{ | |
$null = & (gcm secedit.exe) @('/export','/Cfg','C:\Windows\temp\secpol.SECURITYPOLICY.txt','/areas','SECURITYPOLICY') | |
(Get-Content -Path 'C:\Windows\temp\secpol.SECURITYPOLICY.txt' -ReadCount 1) -match '^([A-Z\s0-9_\\]+)=(.*)$' -replace '=',',' | | |
ConvertFrom-Csv -Header Key,Value1,Value2 | |
}) | |
} | |
} | |
SetScript = { | |
# secedit /import /db filename /cfg filename [/overwrite][/areas area1 area2...] [/log filename] [/quiet] | |
& (gcm secedit.exe) @('/import','/db','C:\Windows\security\database\secedit.sdb','/cfg','C:\windows\temp\seceditpol.inf', | |
'/areas','SECURITYPOLICY','/log','C:\windows\temp\seceditpol.log','/quiet') | |
} | |
TestScript = { | |
if( | |
Compare-Object ` | |
-ReferenceObject ( | |
(Get-Content -Path 'C:\windows\temp\seceditpol.inf' -ReadCount 1) ` | |
-match '^([A-Z\s0-9_\\]+)=(.*)$' -replace '=',',' | | |
ConvertFrom-Csv -Header Key,Value1,Value2 | |
) ` | |
-DifferenceObject ( | |
& { | |
$null = & (gcm secedit.exe) @('/export','/Cfg','C:\Windows\temp\secpol.SECURITYPOLICY.txt','/areas','SECURITYPOLICY') | |
(Get-Content -Path 'C:\Windows\temp\secpol.SECURITYPOLICY.txt' -ReadCount 1) ` | |
-match '^([A-Z\s0-9_\\]+)=(.*)$' -replace '=',',' | | |
ConvertFrom-Csv -Header Key,Value1,Value2 | |
} | |
) # -IncludeEqual | |
) { | |
return $false | |
} else { | |
return $true | |
} | |
} | |
DependsOn = '[File]seceditinf' | |
} | |
File seceditinf { | |
DestinationPath = 'C:\windows\temp\seceditpol.inf' | |
Ensure = 'Present'; | |
Force = $true | |
Contents = @' | |
[Unicode] | |
Unicode=yes | |
[System Access] | |
MinimumPasswordAge = 0 | |
MaximumPasswordAge = 42 | |
MinimumPasswordLength = 0 | |
PasswordComplexity = 1 | |
PasswordHistorySize = 0 | |
LockoutBadCount = 0 | |
RequireLogonToChangePassword = 0 | |
ForceLogoffWhenHourExpire = 0 | |
NewAdministratorName = "Administrator" | |
NewGuestName = "Guest" | |
ClearTextPassword = 0 | |
LSAAnonymousNameLookup = 0 | |
EnableAdminAccount = 1 | |
EnableGuestAccount = 0 | |
[Event Audit] | |
AuditSystemEvents = 0 | |
AuditLogonEvents = 0 | |
AuditObjectAccess = 0 | |
AuditPrivilegeUse = 0 | |
AuditPolicyChange = 0 | |
AuditAccountManage = 0 | |
AuditProcessTracking = 0 | |
AuditDSAccess = 0 | |
AuditAccountLogon = 0 | |
[Version] | |
signature="$CHICAGO$" | |
Revision=1 | |
[Registry Values] | |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 | |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 | |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10" | |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0 | |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5 | |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0" | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,0 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"" | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7, | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1 | |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0 | |
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0 | |
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0 | |
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0 | |
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0 | |
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 | |
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0 | |
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 | |
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0 | |
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1 | |
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,3 | |
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic=4,2 | |
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912 | |
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912 | |
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic=4,1 | |
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 | |
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0 | |
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 | |
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1 | |
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion | |
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog | |
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1 | |
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0 | |
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 | |
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7, | |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 | |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1 | |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0 | |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7, | |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0 | |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1 | |
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0 | |
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1 | |
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0 | |
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1 | |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain=4,7 | |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 | |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30 | |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1 | |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1 | |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1 | |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1 | |
'@ | |
} | |
#endregion |