local_security_policy
Windows Local Security Policy management. Forked from cannonps/local_security_policy
Version information
released Aug 26th 2016
This version is compatible with:
- windows
Start using this module
Add this module to your Puppetfile:
mod 'ayohrling-local_security_policy', '0.6.0'Learn more about managing modules with a PuppetfileDocumentation
ayohrling/local_security_policy — version 0.6.0 Aug 26th 2016
Puppet Local Security Policy
created by Paul Cannon at email paulscannon at gmail dot com
forked and updated by Adam Yohrling at email aryohrling at gmail dot com
Local_security_policy features
Configure, local security policy (LSP) for windows servers.
LSP is key to a baseline configuration of the following security features:
Account Policy
- Password Policy
- Account Lockout Policy
Local Policy
- Audit Policy
- User Rights Assignment
- Security Options
- Registry Values
This module uses types and providers to list, update, validate settings
Use
The title and name of the resources is exact match of what is in secedit GUI. If you are uncertain of the setting name and values just user 'resource' to pipe them all into a file and make adjustments as necessary. The block will look like this
local_security_policy { 'Audit account logon events': <- Title / Name
ensure => present, <- Always present
policy_setting => "AuditAccountLogon", <- The secedit file key. Informational purposes only, not for use in manifest definitions
policy_type => "Event Audit", <- The secedit file section, Informational purposes only, not for use in manifest definitions
policy_value => 'Success,Failure', <- Values
}
Listing all settings
Show all local_security_policy resources available on server
puppet resource local_security_policy
Show a single local_security_policy resources available on server
puppet resource local_security_policy 'Maximum password age'
More examples
Example Password Policy
local_security_policy { 'Maximum password age':
ensure => present,
policy_value => '90',
}
Example Audit Policy
local_security_policy { 'Audit account logon events':
ensure => present,
policy_value => 'Success,Failure',
}
Example User Rights Policy
local_security_policy { 'Allow log on locally':
ensure => present,
policy_value => '90',
}
Example Security Settings
local_security_policy { 'System cryptography: Use FIPS compiant algorithms for encryption, hashing, and signing':
ensure => present,
policy_value => 1 ,
}
Full list of settings available
Access Credential Manager as a trusted caller
Access this computer from the network
Account lockout duration
Account lockout threshold
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Accounts: Require Login to Change Password
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore priviliege
Audit: Shut down system immediately if unable to log security audits
AuditProcessTracking
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Enable computer and user accounts to be trusted for delegation
EnableAdminAccount
EnableGuestAccount
Enforce password history
Force shutdown from a remote system
ForceLogoffWhenHourExpire
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
LSAAnonymousNameLookup
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
Manage auditing and security log
Maximum password age
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Microsoft network server: Digitally sign communications (always)
Microsoft network server: Server SPN target name validation level
Minimum password age
Minimum password length
Modify an object label
Modify firmware environment values
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub-paths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Shares that can be accessed anonymously
Network security: All Local System to use computer identiry for NTLM
Network security: Do not store LAN Manager hash value on next password change
Network security: LAN Manager authentication level
Password must meet complexity requirements
Perform volume maintenance tasks
Profile single process
Profile system performance
Recovery console: Allow automatic adminstrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Remove computer from docking station
Replace a process level token
Reset account lockout counter after
Restore files and directories
Shut down the system
Shutdown: Allow system to be shut down without having to log on
Store passwords using reversible encryption
Synchronize directory service data
System cryptography: Force strong key protection for user keys stored on the computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Take ownership of files or other objects
User Account Control: Admin Approval Mode for the built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate UIAccess applicaitons that are installed in secure locations
User Account Control: Only elevate executables that are signed and validated
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
How this works
The local_security_policy works by using secedit /export to export a list of currently set policies. The module will then
take the user defined resource and compare the values against the exported policies. If the values on the system do not match
the defined resource, the module will run secedit /configure to configure the policy on the system. If the policy already
exists on the system no change will be made.
In order to make setting these polices easier, this module has extracted some of the difficult to lookup or remember pieces
of a policy and placed them in a map for easy translation and value conversion. This means that you only need to remember the user
instead of the sid value, as well as the policy description instead of the special key that needs to be set. The mappings
below define how this translation works. If there is no map for your policy you will need to add to lib/puppet_x/lsp/security_policy.rb
'Accounts: Rename administrator account' => {
:name => 'NewAdministratorName',
:policy_type => 'System Access',
:data_type => :quoted_string
},
'Recovery console: Allow floppy copy and access to all drives and all folders' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand',
:reg_type => '4',
:policy_type => 'Registry Values',
},
The key Accounts: Rename administrator account in the first hash is what the user will define as the name in the resource name.
Instead of remembering the policy name, the description will help us remember what the policy is for. When defining new policy
maps you will need to define the key, name, policy_type, and optionally, data_type or reg_type.
Currently for data_type there is only :quoted_string. However, for reg_type(integer value) there are many values which are listed below:
REG_NONE 0
REG_SZ 1
REG_EXPAND_SZ 2
REG_BINARY 3
REG_DWORD 4
REG_DWORD_LITTLE_ENDIAN 4
REG_DWORD_BIG_ENDIAN 5
REG_LINK 6
REG_MULTI_SZ 7
REG_RESOURCE_LIST 8
REG_FULL_RESOURCE_DESCRIPTOR 9
REG_RESOURCE_REQUIREMENTS_LIST 10
REG_QWORD 11
REG_QWORD_LITTLE_ENDIAN 11
Commands Used
TODO: Future release
- Handle unsupported policies
- Validate users in active directory are being handled.
Types in this module release
###[0.6.0] - Adam Yohrling
- Added new Network security settings, Typo Fixes, Idempotency - #18
###[0.5.2] - Ryan Russell-Yates
- Updated all ruby files to UTF-8 forced encoding.
###[0.4.1] - Adam Yohrling
- Fixed Issue 3 - undefined method error for 'Network access: Let Everyone permissions apply to anonymous users' setting
###[0.4.0] - Adam Yohrling
- Added support for ensuring Privilege Rights settings as absent
###[0.3.2] - Adam Yohrling
- Added support for currently unset values
- Removed duplicate and invalid 'initalize' method
- Cleaned out .DS_Store files that were in the repository
- Moved references for external methods to self.class in flush method and removed duplicate data
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.