Premium module
sce_windows
Security Compliance Enforcement for Windows
Version information
released May 7th 2024
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.23.0 < 9.0.0
Tasks:
- sce_delete_securitypolicy_inf
Documentation
puppetlabs/sce_windows — version 2.0.0 May 7th 2024
sce_windows
Product documentation is available on the Puppet Docs website.
SCE for Windows Reference
Table of Contents
- CIS Microsoft Windows Server 2016 Benchmark 2.0.0
- CIS Microsoft Windows Server 2019 Benchmark 2.0.0
- CIS Microsoft Windows Server 2022 Benchmark 2.0.0
- CIS Microsoft Windows 10 Enterprise Benchmark 2.0.0
CIS Microsoft Windows Server 2016 Benchmark 2.0.0
1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
- Parameters:
dsc_enforce_password_history
- [Optional[Integer[0, 4294967295]]
] - Default:24
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'":
dsc_enforce_password_history: 24
- Alternate Config IDs:
1.1.1
c1_1_1
ensure_enforce_password_history_is_set_to_24_or_more_passwords
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'
- Parameters:
dsc_maximum_password_age
- [Optional[Integer[0, 4294967295]]
] - Default:60
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'":
dsc_maximum_password_age: 60
- Alternate Config IDs:
1.1.2
c1_1_2
ensure_maximum_password_age_is_set_to_365_or_fewer_days_but_not_0
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'
- Parameters:
dsc_minimum_password_age
- [Optional[Integer[0, 4294967295]]
] - Default:1
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'":
dsc_minimum_password_age: 1
- Alternate Config IDs:
1.1.3
c1_1_3
ensure_minimum_password_age_is_set_to_1_or_more_days
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'
- Parameters:
dsc_minimum_password_length
- [Optional[Integer[0, 4294967295]]
] - Default:14
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'":
dsc_minimum_password_length: 14
- Alternate Config IDs:
1.1.4
c1_1_4
ensure_minimum_password_length_is_set_to_14_or_more_characters
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'
- Parameters:
dsc_password_must_meet_complexity_requirements
- [Optional[Enum[\Enabled\, \Disabled\]]
] - Default:Enabled
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'":
dsc_password_must_meet_complexity_requirements: "Enabled"
- Alternate Config IDs:
1.1.5
c1_1_5
ensure_password_must_meet_complexity_requirements_is_set_to_enabled
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
1.1.6 - (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
- Parameters:
dsc_store_passwords_using_reversible_encryption
- [Optional[Enum[\Enabled\, \Disabled\]]
] - Default:Disabled
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'":
dsc_store_passwords_using_reversible_encryption: "Disabled"
- Alternate Config IDs:
1.1.6
c1_1_6
ensure_store_passwords_using_reversible_encryption_is_set_to_disabled
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
1.2.1 - (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'
- Parameters:
dsc_account_lockout_duration
- [Optional[Integer[0, 4294967295]]
] - Default:30
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'":
dsc_account_lockout_duration: 30
- Alternate Config IDs:
1.2.1
c1_2_1
ensure_account_lockout_duration_is_set_to_15_or_more_minutes
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
1.2.2 - (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
- Parameters:
dsc_account_lockout_threshold
- [Optional[Integer[0, 4294967295]]
] - Default:5
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'":
dsc_account_lockout_threshold: 5
- Alternate Config IDs:
1.2.2
c1_2_2
ensure_account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
1.2.3 - (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'
- Parameters:
dsc_reset_account_lockout_counter_after
- [Optional[Integer[0, 4294967295]]
] - Default:30
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'":
dsc_reset_account_lockout_counter_after: 30
- Alternate Config IDs:
1.2.3
c1_2_3
ensure_allow_administrator_account_lockout_is_set_to_enabled
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
1.2.4 - (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
- Parameters:
dsc_reset_account_lockout_counter_after
- [Optional[Integer[0, 4294967295]]
] - Default:30
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'":
dsc_reset_account_lockout_counter_after: 30
- Alternate Config IDs:
1.2.4
c1_2_4
ensure_reset_account_lockout_counter_after_is_set_to_15_or_more_minutes
- Resource:
Class['sce_windows::utils::accountpolicy_wrapper']
2.2.1 - (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
- Parameters:
users
- [Array[String]
] - Default:[]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Access_Credential_Manager_as_a_trusted_caller
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'":
users: []
dsc_policy: "Access_Credential_Manager_as_a_trusted_caller"
dsc_force: true
- Alternate Config IDs:
2.2.1
c2_2_1
ensure_access_credential_manager_as_a_trusted_caller_is_set_to_no_one
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Access Credential Manager as a trusted caller']
2.2.3 - (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Access_this_computer_from_the_network
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)":
users: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
dsc_policy: "Access_this_computer_from_the_network"
dsc_force: true
- Alternate Config IDs:
2.2.3
c2_2_3
ensure_access_this_computer_from_the_network__is_set_to_administrators_authenticated_users_ms_only
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Access this computer from the network']
2.2.4 - (L1) Ensure 'Act as part of the operating system' is set to 'No One'
- Parameters:
users
- [Array[String]
] - Default:[]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Act_as_part_of_the_operating_system
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Act as part of the operating system' is set to 'No One'":
users: []
dsc_policy: "Act_as_part_of_the_operating_system"
dsc_force: true
- Alternate Config IDs:
2.2.4
c2_2_4
ensure_act_as_part_of_the_operating_system_is_set_to_no_one
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Act as part of the operating system']
2.2.6 - (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Adjust_memory_quotas_for_a_process
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'":
users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
dsc_policy: "Adjust_memory_quotas_for_a_process"
dsc_force: true
- Alternate Config IDs:
2.2.6
c2_2_6
ensure_adjust_memory_quotas_for_a_process_is_set_to_administrators_local_service_network_service
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Adjust memory quotas for a process']
2.2.7 - (L1) Ensure 'Allow log on locally' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Allow_log_on_locally
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Allow log on locally' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Allow_log_on_locally"
dsc_force: true
- Alternate Config IDs:
2.2.7
c2_2_7
ensure_allow_log_on_locally_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Allow log on locally']
2.2.9 - (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Allow_log_on_through_Remote_Desktop_Services
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)":
users: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
dsc_policy: "Allow_log_on_through_Remote_Desktop_Services"
dsc_force: true
- Alternate Config IDs:
2.2.9
c2_2_9
ensure_allow_log_on_through_remote_desktop_services_is_set_to_administrators_remote_desktop_users_ms_only
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Allow log on through Remote Desktop Services']
2.2.10 - (L1) Ensure 'Back up files and directories' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Back_up_files_and_directories
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Back up files and directories' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Back_up_files_and_directories"
dsc_force: true
- Alternate Config IDs:
2.2.10
c2_2_10
ensure_back_up_files_and_directories_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Back up files and directories']
2.2.11 - (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Change_the_system_time
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'":
users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
dsc_policy: "Change_the_system_time"
dsc_force: true
- Alternate Config IDs:
2.2.11
c2_2_11
ensure_change_the_system_time_is_set_to_administrators_local_service
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Change the system time']
2.2.12 - (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Change_the_time_zone
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'":
users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
dsc_policy: "Change_the_time_zone"
dsc_force: true
- Alternate Config IDs:
2.2.12
c2_2_12
ensure_change_the_time_zone_is_set_to_administrators_local_service
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Change the time zone']
2.2.13 - (L1) Ensure 'Create a pagefile' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Create_a_pagefile
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Create a pagefile' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Create_a_pagefile"
dsc_force: true
- Alternate Config IDs:
2.2.13
c2_2_13
ensure_create_a_pagefile_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Create a pagefile']
2.2.14 - (L1) Ensure 'Create a token object' is set to 'No One'
- Parameters:
users
- [Array[String]
] - Default:[]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Create_a_token_object
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Create a token object' is set to 'No One'":
users: []
dsc_policy: "Create_a_token_object"
dsc_force: true
- Alternate Config IDs:
2.2.14
c2_2_14
ensure_create_a_token_object_is_set_to_no_one
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Create a token object']
2.2.15 - (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Create_global_objects
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'":
users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
dsc_policy: "Create_global_objects"
dsc_force: true
- Alternate Config IDs:
2.2.15
c2_2_15
ensure_create_global_objects_is_set_to_administrators_local_service_network_service_service
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Create global objects']
2.2.16 - (L1) Ensure 'Create permanent shared objects' is set to 'No One'
- Parameters:
users
- [Array[String]
] - Default:[]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Create_permanent_shared_objects
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Create permanent shared objects' is set to 'No One'":
users: []
dsc_policy: "Create_permanent_shared_objects"
dsc_force: true
- Alternate Config IDs:
2.2.16
c2_2_16
ensure_create_permanent_shared_objects_is_set_to_no_one
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Create permanent shared objects']
2.2.18 - (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Create_symbolic_links
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\\Virtual Machines' (MS only)":
users: ["Builtin\\Administrators"]
dsc_policy: "Create_symbolic_links"
dsc_force: true
- Alternate Config IDs:
2.2.18
c2_2_18
ensure_create_symbolic_links_is_set_to_administrators_nt_virtual_machinevirtual_machines_ms_only
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Create symbolic links']
2.2.19 - (L1) Ensure 'Debug programs' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Debug_programs
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Debug programs' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Debug_programs"
dsc_force: true
- Alternate Config IDs:
2.2.19
c2_2_19
ensure_debug_programs_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Debug programs']
2.2.21 - (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Deny_access_to_this_computer_from_the_network
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)":
users: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
dsc_policy: "Deny_access_to_this_computer_from_the_network"
dsc_force: true
- Alternate Config IDs:
2.2.21
c2_2_21
ensure_deny_access_to_this_computer_from_the_network_to_include_guests_local_account_and_member_of_administrators_group_ms_only
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Deny access to this computer from the network']
2.2.22 - (L1) Ensure 'Deny log on as a batch job' to include 'Guests'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Guests"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Deny_log_on_as_a_batch_job
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Deny log on as a batch job' to include 'Guests'":
users: ["Builtin\\Guests"]
dsc_policy: "Deny_log_on_as_a_batch_job"
dsc_force: true
- Alternate Config IDs:
2.2.22
c2_2_22
ensure_deny_log_on_as_a_batch_job_to_include_guests
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on as a batch job']
2.2.23 - (L1) Ensure 'Deny log on as a service' to include 'Guests'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Guests"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Deny_log_on_as_a_service
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Deny log on as a service' to include 'Guests'":
users: ["Builtin\\Guests"]
dsc_policy: "Deny_log_on_as_a_service"
dsc_force: true
- Alternate Config IDs:
2.2.23
c2_2_23
ensure_deny_log_on_as_a_service_to_include_guests
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on as a service']
2.2.24 - (L1) Ensure 'Deny log on locally' to include 'Guests'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Guests"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Deny_log_on_locally
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Deny log on locally' to include 'Guests'":
users: ["Builtin\\Guests"]
dsc_policy: "Deny_log_on_locally"
dsc_force: true
- Alternate Config IDs:
2.2.24
c2_2_24
ensure_deny_log_on_locally_to_include_guests
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on locally']
2.2.26 - (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Guests", "NT AUTHORITY\\Local account"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Deny_log_on_through_Remote_Desktop_Services
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)":
users: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
dsc_policy: "Deny_log_on_through_Remote_Desktop_Services"
dsc_force: true
- Alternate Config IDs:
2.2.26
c2_2_26
ensure_deny_log_on_through_remote_desktop_services_is_set_to_guests_local_account_ms_only
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on through Remote Desktop Services']
2.2.28 - (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)
- Parameters:
users
- [Array[String]
] - Default:[]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Enable_computer_and_user_accounts_to_be_trusted_for_delegation
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)":
users: []
dsc_policy: "Enable_computer_and_user_accounts_to_be_trusted_for_delegation"
dsc_force: true
- Alternate Config IDs:
2.2.28
c2_2_28
ensure_enable_computer_and_user_accounts_to_be_trusted_for_delegation_is_set_to_no_one_ms_only
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Enable computer and user accounts to be trusted for delegation']
2.2.29 - (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Force_shutdown_from_a_remote_system
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Force_shutdown_from_a_remote_system"
dsc_force: true
- Alternate Config IDs:
2.2.29
c2_2_29
ensure_force_shutdown_from_a_remote_system_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Force shutdown from a remote system']
2.2.30 - (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
- Parameters:
users
- [Array[String]
] - Default:["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Generate_security_audits
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
dsc_policy: "Generate_security_audits"
dsc_force: true
- Alternate Config IDs:
2.2.30
c2_2_30
ensure_generate_security_audits_is_set_to_local_service_network_service
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Generate security audits']
2.2.32 - (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)
- Parameters:
users
- [Array[String]
] - Default:["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Impersonate_a_client_after_authentication
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)":
users: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
dsc_policy: "Impersonate_a_client_after_authentication"
dsc_force: true
- Alternate Config IDs:
2.2.32
c2_2_32
ensure_impersonate_a_client_after_authentication_is_set_to_administrators_local_service_network_service_service_and_when_the_web_server_iis_role_with_web_services_role_service_is_installed_iis_iusrs_ms_only
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Impersonate a client after authentication']
2.2.33 - (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Increase_scheduling_priority
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Increase_scheduling_priority"
dsc_force: true
- Alternate Config IDs:
2.2.33
c2_2_33
ensure_increase_scheduling_priority_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Increase scheduling priority']
2.2.34 - (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Load_and_unload_device_drivers
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Load_and_unload_device_drivers"
dsc_force: true
- Alternate Config IDs:
2.2.34
c2_2_34
ensure_load_and_unload_device_drivers_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Load and unload device drivers']
2.2.35 - (L1) Ensure 'Lock pages in memory' is set to 'No One'
- Parameters:
users
- [Array[String]
] - Default:[]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Lock_pages_in_memory
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Lock pages in memory' is set to 'No One'":
users: []
dsc_policy: "Lock_pages_in_memory"
dsc_force: true
- Alternate Config IDs:
2.2.35
c2_2_35
ensure_lock_pages_in_memory_is_set_to_no_one
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Lock pages in memory']
2.2.38 - (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Manage_auditing_and_security_log
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)":
users: ["Builtin\\Administrators"]
dsc_policy: "Manage_auditing_and_security_log"
dsc_force: true
- Alternate Config IDs:
2.2.38
c2_2_38
ensure_manage_auditing_and_security_log_is_set_to_administrators_ms_only
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Manage auditing and security log']
2.2.39 - (L1) Ensure 'Modify an object label' is set to 'No One'
- Parameters:
users
- [Array[String]
] - Default:[]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Modify_an_object_label
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Modify an object label' is set to 'No One'":
users: []
dsc_policy: "Modify_an_object_label"
dsc_force: true
- Alternate Config IDs:
2.2.39
c2_2_39
ensure_modify_an_object_label_is_set_to_no_one
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Modify an object label']
2.2.40 - (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Modify_firmware_environment_values
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Modify_firmware_environment_values"
dsc_force: true
- Alternate Config IDs:
2.2.40
c2_2_40
ensure_modify_firmware_environment_values_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Modify firmware environment values']
2.2.41 - (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Perform_volume_maintenance_tasks
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Perform_volume_maintenance_tasks"
dsc_force: true
- Alternate Config IDs:
2.2.41
c2_2_41
ensure_perform_volume_maintenance_tasks_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Perform volume maintenance tasks']
2.2.42 - (L1) Ensure 'Profile single process' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Profile_single_process
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Profile single process' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Profile_single_process"
dsc_force: true
- Alternate Config IDs:
2.2.42
c2_2_42
ensure_profile_single_process_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Profile single process']
2.2.43 - (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Profile_system_performance
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\\WdiServiceHost'":
users: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
dsc_policy: "Profile_system_performance"
dsc_force: true
- Alternate Config IDs:
2.2.43
c2_2_43
ensure_profile_system_performance_is_set_to_administrators_nt_servicewdiservicehost
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Profile system performance']
2.2.44 - (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
- Parameters:
users
- [Array[String]
] - Default:["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Replace_a_process_level_token
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
dsc_policy: "Replace_a_process_level_token"
dsc_force: true
- Alternate Config IDs:
2.2.44
c2_2_44
ensure_replace_a_process_level_token_is_set_to_local_service_network_service
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Replace a process level token']
2.2.45 - (L1) Ensure 'Restore files and directories' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Restore_files_and_directories
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Restore files and directories' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Restore_files_and_directories"
dsc_force: true
- Alternate Config IDs:
2.2.45
c2_2_45
ensure_restore_files_and_directories_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Restore files and directories']
2.2.46 - (L1) Ensure 'Shut down the system' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Shut_down_the_system
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Shut down the system' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Shut_down_the_system"
dsc_force: true
- Alternate Config IDs:
2.2.46
c2_2_46
ensure_shut_down_the_system_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Shut down the system']
2.2.48 - (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'
- Parameters:
users
- [Array[String]
] - Default:["Builtin\\Administrators"]
dsc_policy
- [Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"]
] - Default:Take_ownership_of_files_or_other_objects
dsc_force
- [Boolean
] - Default:true
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'":
users: ["Builtin\\Administrators"]
dsc_policy: "Take_ownership_of_files_or_other_objects"
dsc_force: true
- Alternate Config IDs:
2.2.48
c2_2_48
ensure_take_ownership_of_files_or_other_objects_is_set_to_administrators
- Resource:
Sce_windows::Utils::Userrightsassignment_wrapper['Take ownership of files or other objects']
2.3.1.1 - (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
- Parameters:
dsc_accounts_block_microsoft_accounts
- [Optional[Enum[\This policy is disabled\, \Users cant add Microsoft accounts\, \Users cant add or log on with Microsoft accounts\]]
] - Default:Users cant add or log on with Microsoft accounts
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'":
dsc_accounts_block_microsoft_accounts: "Users cant add or log on with Microsoft accounts"
- Alternate Config IDs:
2.3.1.1
c2_3_1_1
ensure_accounts_block_microsoft_accounts_is_set_to_users_cant_add_or_log_on_with_microsoft_accounts
- Resource:
Class['sce_windows::utils::securityoption_wrapper']
2.3.1.2 - (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)
- Parameters:
dsc_accounts_guest_account_status
- [Optional[Enum[\Enabled\, \Disabled\]]
] - Default:Disabled
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)":
dsc_accounts_guest_account_status: "Disabled"
- Alternate Config IDs:
2.3.1.2
c2_3_1_2
ensure_accounts_guest_account_status_is_set_to_disabled_ms_only
- Resource:
Class['sce_windows::utils::securityoption_wrapper']
2.3.1.3 - (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
- Parameters:
dsc_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only
- [Optional[Enum[\Enabled\, \Disabled\]]
] - Default:Enabled
- Supported Levels:
level_1
- Supported Profiles:
member_server
- Hiera Configuration Example:
sce_windows::config:
control_configs:
"(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'":
dsc_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only: "Enabled"
- Alternate Config IDs:
2.3.1.3
c2_3_1_3
ensure_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_enabled
- Resource:
Class['sce_windows::utils::securityoption_wrapper']
2.3.1.4 - (L1) Configure 'Accounts: Rename administrator account'
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
sce_delete_securitypolicy_inf
Deletes c:\windows emp\SecurityPolicy.inf If this file becomes corrupted and/or is in a security state that prevents the Puppet agent from writing to it this can cause various DSC_* errors and can pervent the Puppet making changes to the effected system.
Change log
The changelog for SCE for Windows lives on the official documentation site.
Dependencies
- puppetlabs-stdlib (>= 6.0.0 < 10.0.0)
- puppetlabs-registry (>= 3.2.0 < 6.0.0)
- dsc-networkingdsc (>= 8.1.0-0-1 < 10.0.0)
- dsc-auditpolicydsc (>= 1.4.0-0-4 < 2.0.0)
- dsc-securitypolicydsc (>= 2.10.0-0-3 < 4.0.0)
- puppetlabs-pwshlib (>= 0.9.0 < 2.0.0)
- puppetlabs-powershell (>= 5.0.0 < 7.0.0)