Premium module

cem_windows

Compliance Enforcement Module for Windows

Project URL RSS Feed Report issues

Module Stats

4,717 downloads

259 latest version

Version information

released Apr 7th 2022

This version is compatible with:

Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
Puppet >= 6.23.0 < 8.0.0

This module has been deprecated by its author since May 8th 2024.

The reason given was: Replaced by puppetlabs-sce_windows

The author has suggested puppetlabs-sce_windows as its replacement.

Tags: security, hardening, compliance, cis, comply

Documentation

puppetlabs/cem_windows — version 1.1.1 Apr 7th 2022

`cem_windows`

cem_windows

Description

The cem_windows module is one of two Compliance Enforcement Modules (CEM). These are supported Puppet modules developed specifically to bring your Puppet Enterpirse (PE) managed nodes under compliance. CEM currently supports CIS (Center for Internet Security) compliance rules, and other compliance frameworks will be added to CEM in the future.

By default, CEM enforces CIS rules for the level 1 server profile.

This README walks you through installing CEM and customizing the configuration settings to suit your own compliance needs. For a list of available parameters, see the CEM reference.

To manage Linux nodes, navigate to cem_linux.

Setup

System requirements

cem_windows supports the following operating systems and CIS benchmarks:

Operating system	Framework	Level	Profile
Windows Server 2019	CIS benchmarks v1.2.1	1	Member Server
Windows Server 2016	CIS benchmarks v1.3.0	1	Member Server
Windows 10 Enterprise	CIS benchmarks v1.12.0	1	Corporate Enterprise

Note: CEM uses DSC modules and the validation_mode parameter to ensure resources do not get stuck in a "flapping" state. For more information, visit the DSC security policy.

Install CEM with Code Manager

Puppet Forge Premium Content has specific installation instructions found here.

Usage

By default, cem_windows enforces CIS rules depending on your operating system — the level 1 Member Server profile is enforced on Windows Server 2016 and Windows Server 2019, and the level 1 Corporate Enterprise profile is enforced on Windows 10.

If you installed CEM with Code Manager and assigned the cem_windows class to a node group in the PE Console, the default profile is automatically enforced. If you installed CEM without Code Manager, add include cem_windows to the profile assigned to your node.

To configure specific benchmarks, you can use Hiera.

Important: CEM's default settings are fully CIS compliant — too much customization can result in your configurations being noncompliant.

Controls Ignored by Default: Controls 2.3.1.1 and 2.3.1.5 are currently ignored by default because of non-idempotent and catalog apply issues. See Controls Ignored By Default Due to Errors for explanation and configuration options.

Finding and setting configuration options

You can find the configuration options for a specific control by referencing the reference file. The reference file is divided into sections, with each section representing a specific benchmark. In those benchmarks, you will see each control listed with several subsections:

Parameters:
- The parameters subsection lists all the configuration options for a control, along with the data type and default value.
Config Example:
- The config example subsection shows a snippet of Hiera that could be used to configure the control.
Supported Levels:
- The supported levels for a CIS control.
Supported Profiles:
- The supported profiles for a CIS control.
Alternate Config IDs:
- The alternate config IDs for a control. Any of these config IDs, along with the full control name, can be used as a key in the control_config hash.
Resource:
- The name of the Puppet resource that enforces the control.

Alternate Config IDs

Due to architectural changes, you can now specify controls in the control_config hash using the full control name, the control number, the normalized control name, or the normalized control number. You cannot mix and match these forms and must pick a single control ID form to use for your config. Full control names and control numbers are copied verbatim from the benchmarks and are case-sensitive. Normalized control names are lowercased and contain only alphanumeric characters and underscores. Normalized control numbers are always prefixed with a c and contain only numeric characters separated by underscores.

Example of Alternate Config IDs:

Full control name: (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
Control number: 1.1.1
Normalized control name: ensure_enforce_password_history_is_set_to_24_or_more_passwords
Normalized number: c1_1_1

Resource Data

The data that drives CEM Windows is located in data/windows/windows/<osmajversion>.yaml. These Hiera files contain resource definitions for each Puppet resource that enforces a control. THIS DATA SHOULD NOT BE MODIFIED. If you need to change the behavior of a control, please use the control_config hash to configure it.

Top-level configuration options

The configuration options are configured at the top-level of the module. If configuring with Hiera, these options will be prefixed with cem_windows::

framework - Enum['cis'] - the compliance framework to use. CEM only supports cis. Default: cis.
config - Optional[Hash] - where all non-top-level configuration options live. Default: undef.
allow_on_domain_controller: - Boolean — If cem_windows detects that it is running on a domain controller, it will not enforce any rules. It will log a warning stating such. This is to prevent accidentally enforcing incorrect compliance settings on domain controllers that could negatively impact an entire domain. Default: true.
enable_long_paths - Boolean - Enables long path support via the Windows registry. Setting this to false can cause issues with some of the DSC modules used in cem_windows. Default: true.
privileged_user - Optional[String] - If the Puppet agent does not run under a user with local administrator privileges, you need to supply the name of a user that has local administrator privileges. This is used by DSC to enforce state on the machine. Default: undef.
privileged_password - Sensitive[Any] - If using a privileged user, this is the password for that user account. Default: undef.
allow_local_account_rdp - Boolean - By default, cem_windows disabled remote desktop connection (RDP) access for non-domain accounts. Setting this to true allows local accounts present on the node to make RDP connections to the node. Default: false.

Framework configuration options

These options are available as key-value pairs within the cem_windows::config: hash.

control_configs - Optional[Hash] — where all rule-specific configurations live. Default: undef.
only - Optional[Array[String]] — takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp) — classes specified here are included in the catalog. Takes precedence over ignore:. Default: undef.
ignore - Optional[Array[String]] — takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp). The classes specified here are not included in the catalog. If only: is specified, this option does nothing. Default: undef.

CIS-specific configuration options

These options are available as key-value pairs within the cem_windows::config: hash. These options are only applicable to the CIS compliance framework.

profile - Optional[Enum['member_server', 'corporateenterprise']] — the name of the benchmark profile. corporateenterprise is only supported on Windows 10. Default for Windows Server: member_server, Default for Windows 10: corporate_enterprise.
level - Optional[Enum['1', '2']] — the name of the profile level. CEM only supports 1. Default: 1.

Control classes

Control classes (manifests/benchmarks/<benchmark>/controls/*.pp) are the interfaces that configure rule settings. Each control class accepts the following two parameters:

The $enforced (Boolean) parameter — this toggles whether the included code in the manifest is executed.
The $config parameter — this holds the configuration options for a control class as keys in the hash. You set the $config parameter based on values from the control_configs hash. Each top-level key is a control class name (sans path and .pp suffix) and the value of that key is a hash. The keys of the sub-hash map 1 to 1 with the configuration options available in the specific control class.

For example, a control class would looks like:

# @summary CIS 1.2.1 Windows Server 2019 17.1.1 L1 Ensure Audit Credential Validation is set to Success and Failure
#
# @param [Boolean] enforced
#   If true, the control will be enforced
# @param [Hash] config
#   Options for the control
# @option config [Boolean] success
#   Defaults to true
# @option config [Boolean] failure
#   Defaults to true
class cem_windows::benchmarks::cis::controls::w2019::c17_1_1 (
  Boolean $enforced = true,
  Hash $config = {},
) {
  ...
}

And the Hiera file would look like:

cem_windows::config:
  control_configs:
    c17_1_1:
      success: true
      failure: true

For a list of control classes and their configuration options, see the reference.

Configuration Examples

Running DSC resources as a specific user

DSC requires local administrator privileges to modify Windows resources. Normally, the Puppet agent runs under a user account with these permissions. However, if the Puppet agent on a node does not have local administrator permissions you can configure the username and password of a user account that does using Hiera. For example:

# control-repo/data/nodes/winserv2019.contoso.com.yaml
---
cem_windows::privileged_user: <user name>
cem_windows::privileged_pass: <user password>

Allowing local accounts to access nodes

To configure a node to allow a local user account to access the node with RDP, set the top-level option allow_local_account_rdp to true. For example:

# control-repo/data/nodes/winserv2019.contoso.com.yaml
---
cem_windows::allow_local_account_rdp: true

Enforcing specific rules

To configure CEM to enforce only enforce specific rules, you can use the only key. For example:

# control-repo/data/nodes/winserv2019.contoso.com.yaml
---
cem_windows::framework: 'cis'
cem_windows::config:
  profile: 'member_server'
  level: '1'
  only:
    - 'c18_9_97_1_1'
    - 'c18_9_97_1_2'

Ignoring specific rules

To configure CEM to ignore specific rules, you can use the ignore key. For example:

# control-repo/data/nodes/winserv2019.contoso.com.yaml
---
cem_windows::framework: 'cis'
cem_windows::config:
  profile: 'member_server'
  level: '1'
  ignore:
    - 'c18_9_97_1_1'
    - 'c18_9_97_1_2'

Note: The only key and the ignore key are mutually exclusive, with only taking precedence. This means that if you specify both keys, CEM does not use the value of the ignore key is not used and only enforces the rules specified with only.

Configuring individual rules

You can customize most rules. To configure these, use the control_configs key and supplying it with a Hash value:

<recommendation class name>:
  <recommendation class param>: <value>

For example, if you want to configure the rules used in the previous examples, it would look like:

# control-repo/data/nodes/winserv2019.contoso.com.yaml
---
cem_windows::framework: 'cis'
cem_windows::config:
  profile: 'member_server'
  level: '1'
  control_configs:
    c18_9_97_1_1:
      allowbasic: '0'
    c18_9_97_1_2:
      allowunencryptedtraffic: '0'

Renaming Administrator and Guest accounts

To rename the local Administrator account to user_1, use the following configuration.

Important: The Administrator account is renamed to magic by default.

# control-repo/data/nodes/winserv2019.contoso.com.yaml
---
cem_windows::config:
  control_configs:
    c2_3_1_5:
      value: 'user_1'

To rename the local Guest account to user_2, use the following configuration.

Important: The Guest account is renamed to pumpkin by default.

# control-repo/data/nodes/winserv2019.contoso.com.yaml
---
cem_windows::config:
  control_configs:
    c2_3_1_6:
      value: 'user_2'

Known Issues

cem_windows currently has the following limitations:

Some controls can fail scans. Each of these controls is enforced by CEM Windows. The following controls have been known to fail scans when scanned with Comply:
- 1.1.5 - Windows Server 2016 & Windows Server 2019
- 1.1.6 - Windows Server 2016 & Windows Server 2019
- 2.3.10.7 - Windows Server 2016
- 18.2.1 - Windows Server 2019
- 18.4.1 - Windows Server 2016 & Windows Server 2019
- 18.4.8 - Windows Server 2016 & Windows Server 2019
- 18.4.9 - Windows Server 2016 & Windows Server 2019
- 18.4.12 - Windows Server 2016
- 18.5.21.1 - Windows Server 2019
- 18.8.21.5 - Windows Server 2016 & Windows Server 2019
- 18.9.45.4.1.2 - Windows Server 2019
- 18.9.62.3.9.1 - Windows Server 2016 & Windows Server 2019
Puppet runs are not idempotent. If you see DSC resources showing corrective changes in a Puppet run, for example, Unknown feature "custom_isync", it means that you are not running the correct version of Puppet. cem_windows requires Puppet Agent >= v6.23 < 7.0 or >= 7.8.
Puppet agent does not upgrade using the puppetlabs-puppet_agent module. When you upgrade the Puppet agent upgrades, make sure you reboot your machine.
You cannot RDP to nodes. By default, users that are members of the groups Guests and local accounts will not be able to log in. To override this behavior, set the cem_windows::allow_local_account_rdp parameter to true.
Non-admin users cannot log in to nodes. By default, the event Log does not clear events. When the event log of a node is full , only administrators can log in. To clear the event logs manually, find the specific recommendation in your compliance framework and configure the setting. This behavior is set by the registry key being 0 (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application:Retention).
WinRM is not disabled. The WinRM service is required for the DSC modules and cannot be disabled.

Controls Ignored By Default Due To Errors

2.3.1.1 (Ensure 'Accounts: Administrator account status' is set to 'Disabled') - Can cause non-idempotent runs. Can cause puppet run failures when running puppet manually while logged in as administrator.
2.3.1.5 (Configure 'Accounts: Rename administrator account') - Can cause non-idempotent runs. Can cause puppet run failures when running puppet manually while logged in as administrator.

To enable controls ignored by default create an ignore config that doesn't include them. This for example will only ignore control 1.1.1, thus overriding the default ignore list:

cem_windows::config:
  ignore:
    - 'c1_1_1'

This will remove all controls from the ignore list:

cem_windows::config:
  ignore: []

CEM Windows Reference

CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0
CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.3.0
CIS Microsoft Windows Server 2019 Benchmark v1.2.1

CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0

1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

Parameters:
- dsc_enforce_password_history - [ Integer ] - Default: 24
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'":
      dsc_enforce_password_history: 24

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
- 1.1.1
- ensure_enforce_password_history_is_set_to_24_or_more_passwords
Resource: Dsc_accountpolicy

1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

Parameters:
- dsc_maximum_password_age - [ Integer ] - Default: 365
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'":
      dsc_maximum_password_age: 365

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'
- 1.1.2
- ensure_maximum_password_age_is_set_to_365_or_fewer_days_but_not_0
Resource: Dsc_accountpolicy

1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

Parameters:
- dsc_minimum_password_age - [ Integer ] - Default: 1
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'":
      dsc_minimum_password_age: 1

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'
- 1.1.3
- ensure_minimum_password_age_is_set_to_1_or_more_days
Resource: Dsc_accountpolicy

1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

Parameters:
- dsc_minimum_password_length - [ Integer ] - Default: 14
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'":
      dsc_minimum_password_length: 14

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'
- 1.1.4
- ensure_minimum_password_length_is_set_to_14_or_more_characters
Resource: Dsc_accountpolicy

1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

Parameters:
- dsc_password_must_meet_complexity_requirements - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'":
      dsc_password_must_meet_complexity_requirements: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'
- 1.1.5
- ensure_password_must_meet_complexity_requirements_is_set_to_enabled
Resource: Dsc_accountpolicy

1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'

Parameters:
- value - [ String ] - Default: RelaxMinimumPasswordLengthLimits
- key - [ String ] - Default: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM
- type - [ String ] - Default: dword
- data - [ Integer ] - Default: 1
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'":
      value: 'RelaxMinimumPasswordLengthLimits'
      key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM'
      type: 'dword'
      data: 1

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'
- 1.1.6
- ensure_relax_minimum_password_length_limits_is_set_to_enabled
Resource: Registry::value

1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

Parameters:
- dsc_store_passwords_using_reversible_encryption - [ String ] - Default: Disabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'":
      dsc_store_passwords_using_reversible_encryption: 'Disabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
- 1.1.7
- ensure_store_passwords_using_reversible_encryption_is_set_to_disabled
Resource: Dsc_accountpolicy

1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

Parameters:
- dsc_account_lockout_duration - [ Integer ] - Default: 15
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'":
      dsc_account_lockout_duration: 15

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'
- 1.2.1
- ensure_account_lockout_duration_is_set_to_15_or_more_minutes
Resource: Dsc_accountpolicy

1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

Parameters:
- dsc_account_lockout_threshold - [ Integer ] - Default: 5
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'":
      dsc_account_lockout_threshold: 5

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
- 1.2.2
- ensure_account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0
Resource: Dsc_accountpolicy

1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

Parameters:
- dsc_reset_account_lockout_counter_after - [ Integer ] - Default: 15
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'":
      dsc_reset_account_lockout_counter_after: 15

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
- 1.2.3
- ensure_reset_account_lockout_counter_after_is_set_to_15_or_more_minutes
Resource: Dsc_accountpolicy

2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

Parameters:
- users - [ Array ] - Default: [""]
- dsc_policy - [ String ] - Default: Access_Credential_Manager_as_a_trusted_caller
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'":
      users: [""]
      dsc_policy: 'Access_Credential_Manager_as_a_trusted_caller'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
- 2.2.1
- ensure_access_credential_manager_as_a_trusted_caller_is_set_to_no_one
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'

Parameters:
- users - [ Array ] - Default: ["Administrators", "Remote Desktop Users"]
- dsc_policy - [ String ] - Default: Access_this_computer_from_the_network
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'":
      users: ["Administrators", "Remote Desktop Users"]
      dsc_policy: 'Access_this_computer_from_the_network'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'
- 2.2.2
- ensure_access_this_computer_from_the_network_is_set_to_administrators_remote_desktop_users
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One'

Parameters:
- users - [ Array ] - Default: [""]
- dsc_policy - [ String ] - Default: Act_as_part_of_the_operating_system
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Act as part of the operating system' is set to 'No One'":
      users: [""]
      dsc_policy: 'Act_as_part_of_the_operating_system'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Act as part of the operating system' is set to 'No One'
- 2.2.3
- ensure_act_as_part_of_the_operating_system_is_set_to_no_one
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
- dsc_policy - [ String ] - Default: Adjust_memory_quotas_for_a_process
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: 'Adjust_memory_quotas_for_a_process'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
- 2.2.4
- ensure_adjust_memory_quotas_for_a_process_is_set_to_administrators_local_service_network_service
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators", "Builtin\\Users"]
- dsc_policy - [ String ] - Default: Allow_log_on_locally
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'":
      users: ["Builtin\\Administrators", "Builtin\\Users"]
      dsc_policy: 'Allow_log_on_locally'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'
- 2.2.5
- ensure_allow_log_on_locally_is_set_to_administrators_users
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
- dsc_policy - [ String ] - Default: Allow_log_on_through_Remote_Desktop_Services
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'":
      users: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
      dsc_policy: 'Allow_log_on_through_Remote_Desktop_Services'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'
- 2.2.6
- ensure_allow_log_on_through_remote_desktop_services_is_set_to_administrators_remote_desktop_users
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators"]
- dsc_policy - [ String ] - Default: Back_up_files_and_directories
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Back up files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: 'Back_up_files_and_directories'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Back up files and directories' is set to 'Administrators'
- 2.2.7
- ensure_back_up_files_and_directories_is_set_to_administrators
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
- dsc_policy - [ String ] - Default: Change_the_system_time
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: 'Change_the_system_time'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'
- 2.2.8
- ensure_change_the_system_time_is_set_to_administrators_local_service
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators", "Builtin\\Users", "NT AUTHORITY\\LOCAL SERVICE"]
- dsc_policy - [ String ] - Default: Change_the_time_zone
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'":
      users: ["Builtin\\Administrators", "Builtin\\Users", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: 'Change_the_time_zone'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'
- 2.2.9
- ensure_change_the_time_zone_is_set_to_administrators_local_service_users
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators"]
- dsc_policy - [ String ] - Default: Create_a_pagefile
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create a pagefile' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: 'Create_a_pagefile'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Create a pagefile' is set to 'Administrators'
- 2.2.10
- ensure_create_a_pagefile_is_set_to_administrators
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.11 (L1) Ensure 'Create a token object' is set to 'No One'

Parameters:
- users - [ Array ] - Default: [""]
- dsc_policy - [ String ] - Default: Create_a_token_object
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create a token object' is set to 'No One'":
      users: [""]
      dsc_policy: 'Create_a_token_object'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Create a token object' is set to 'No One'
- 2.2.11
- ensure_create_a_token_object_is_set_to_no_one
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
- dsc_policy - [ String ] - Default: Create_global_objects
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: 'Create_global_objects'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
- 2.2.12
- ensure_create_global_objects_is_set_to_administrators_local_service_network_service_service
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.3.1.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'

Parameters:
- dsc_accounts_administrator_account_status - [ String ] - Default: Disabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'":
      dsc_accounts_administrator_account_status: 'Disabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'
- 2.3.1.1
- ensure_accounts_administrator_account_status_is_set_to_disabled
Resource: Dsc_securityoption

2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'

Parameters:
- dsc_accounts_block_microsoft_accounts - [ String ] - Default: Users cant add or log on with Microsoft accounts
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'":
      dsc_accounts_block_microsoft_accounts: 'Users cant add or log on with Microsoft accounts'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
- 2.3.1.2
- ensure_accounts_block_microsoft_accounts_is_set_to_users_cant_add_or_log_on_with_microsoft_accounts
Resource: Dsc_securityoption

2.3.1.3 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'

Parameters:
- dsc_accounts_guest_account_status - [ String ] - Default: Disabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'":
      dsc_accounts_guest_account_status: 'Disabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'
- 2.3.1.3
- ensure_accounts_guest_account_status_is_set_to_disabled
Resource: Dsc_securityoption

2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'

Parameters:
- dsc_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'":
      dsc_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
- 2.3.1.4
- ensure_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_enabled
Resource: Dsc_securityoption

2.3.1.5 (L1) Configure 'Accounts: Rename administrator account'

Parameters:
- dsc_accounts_rename_administrator_account - [ String ] - Default: magic
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Configure 'Accounts: Rename administrator account'":
      dsc_accounts_rename_administrator_account: 'magic'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Configure 'Accounts: Rename administrator account'
- 2.3.1.5
- configure_accounts_rename_administrator_account
Resource: Dsc_securityoption

2.3.1.6 (L1) Configure 'Accounts: Rename guest account'

Parameters:
- dsc_accounts_rename_guest_account - [ String ] - Default: pumpkin
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Configure 'Accounts: Rename guest account'":
      dsc_accounts_rename_guest_account: 'pumpkin'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Configure 'Accounts: Rename guest account'
- 2.3.1.6
- configure_accounts_rename_guest_account
Resource: Dsc_securityoption

2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One'

Parameters:
- users - [ Array ] - Default: [""]
- dsc_policy - [ String ] - Default: Create_permanent_shared_objects
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create permanent shared objects' is set to 'No One'":
      users: [""]
      dsc_policy: 'Create_permanent_shared_objects'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Create permanent shared objects' is set to 'No One'
- 2.2.13
- ensure_create_permanent_shared_objects_is_set_to_no_one
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'

Parameters:
- dsc_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'":
      dsc_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
- 2.3.2.1
- ensure_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings_is_set_to_enabled
Resource: Dsc_securityoption

2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'

Parameters:
- dsc_audit_shut_down_system_immediately_if_unable_to_log_security_audits - [ String ] - Default: Disabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'":
      dsc_audit_shut_down_system_immediately_if_unable_to_log_security_audits: 'Disabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
- 2.3.2.2
- ensure_audit_shut_down_system_immediately_if_unable_to_log_security_audits_is_set_to_disabled
Resource: Dsc_securityoption

2.2.14 (L1) Configure 'Create symbolic links'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators"]
- dsc_policy - [ String ] - Default: Create_symbolic_links
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Configure 'Create symbolic links'":
      users: ["Builtin\\Administrators"]
      dsc_policy: 'Create_symbolic_links'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Configure 'Create symbolic links'
- 2.2.14
- configure_create_symbolic_links
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators"]
- dsc_policy - [ String ] - Default: Debug_programs
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Debug programs' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: 'Debug_programs'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Debug programs' is set to 'Administrators'
- 2.2.15
- ensure_debug_programs_is_set_to_administrators
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'

Parameters:
- dsc_devices_allowed_to_format_and_eject_removable_media - [ String ] - Default: Administrators and Interactive Users
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'":
      dsc_devices_allowed_to_format_and_eject_removable_media: 'Administrators and Interactive Users'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'
- 2.3.4.1
- ensure_devices_allowed_to_format_and_eject_removable_media_is_set_to_administrators_and_interactive_users
Resource: Dsc_securityoption

2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'

Parameters:
- dsc_devices_prevent_users_from_installing_printer_drivers - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'":
      dsc_devices_prevent_users_from_installing_printer_drivers: 'Enabled'

Supported Levels:
- level_2
Supported Profiles:
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
- 2.3.4.2
- ensure_devices_prevent_users_from_installing_printer_drivers_is_set_to_enabled
Resource: Dsc_securityoption

2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
- dsc_policy - [ String ] - Default: Deny_access_to_this_computer_from_the_network
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
      dsc_policy: 'Deny_access_to_this_computer_from_the_network'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'
- 2.2.16
- ensure_deny_access_to_this_computer_from_the_network_to_include_guests_local_account
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Guests"]
- dsc_policy - [ String ] - Default: Deny_log_on_as_a_batch_job
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: 'Deny_log_on_as_a_batch_job'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Deny log on as a batch job' to include 'Guests'
- 2.2.17
- ensure_deny_log_on_as_a_batch_job_to_include_guests
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'

Parameters:
- dsc_domain_member_digitally_encrypt_or_sign_secure_channel_data_always - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'":
      dsc_domain_member_digitally_encrypt_or_sign_secure_channel_data_always: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
- 2.3.6.1
- ensure_domain_member_digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_enabled
Resource: Dsc_securityoption

2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'

Parameters:
- dsc_domain_member_digitally_encrypt_secure_channel_data_when_possible - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'":
      dsc_domain_member_digitally_encrypt_secure_channel_data_when_possible: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
- 2.3.6.2
- ensure_domain_member_digitally_encrypt_secure_channel_data_when_possible_is_set_to_enabled
Resource: Dsc_securityoption

2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'

Parameters:
- dsc_domain_member_digitally_sign_secure_channel_data_when_possible - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'":
      dsc_domain_member_digitally_sign_secure_channel_data_when_possible: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
- 2.3.6.3
- ensure_domain_member_digitally_sign_secure_channel_data_when_possible_is_set_to_enabled
Resource: Dsc_securityoption

2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'

Parameters:
- dsc_domain_member_disable_machine_account_password_changes - [ String ] - Default: Disabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'":
      dsc_domain_member_disable_machine_account_password_changes: 'Disabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
- 2.3.6.4
- ensure_domain_member_disable_machine_account_password_changes_is_set_to_disabled
Resource: Dsc_securityoption

2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'

Parameters:
- dsc_domain_member_maximum_machine_account_password_age - [ String ] - Default: 30
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'":
      dsc_domain_member_maximum_machine_account_password_age: '30'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'
- 2.3.6.5
- ensure_domain_member_maximum_machine_account_password_age_is_set_to_30_or_fewer_days_but_not_0
Resource: Dsc_securityoption

2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'

Parameters:
- dsc_domain_member_require_strong_windows_2000_or_later_session_key - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'":
      dsc_domain_member_require_strong_windows_2000_or_later_session_key: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
- 2.3.6.6
- ensure_domain_member_require_strong_windows_2000_or_later_session_key_is_set_to_enabled
Resource: Dsc_securityoption

2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Guests"]
- dsc_policy - [ String ] - Default: Deny_log_on_as_a_service
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a service' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: 'Deny_log_on_as_a_service'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Deny log on as a service' to include 'Guests'
- 2.2.18
- ensure_deny_log_on_as_a_service_to_include_guests
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'

Parameters:
- dsc_interactive_logon_do_not_require_ctrl_alt_del - [ String ] - Default: Disabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'":
      dsc_interactive_logon_do_not_require_ctrl_alt_del: 'Disabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
- 2.3.7.1
- ensure_interactive_logon_do_not_require_ctrlaltdel_is_set_to_disabled
Resource: Dsc_securityoption

2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'

Parameters:
- dsc_interactive_logon_do_not_display_last_user_name - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'":
      dsc_interactive_logon_do_not_display_last_user_name: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'
- 2.3.7.2
- ensure_interactive_logon_dont_display_last_signed_in_is_set_to_enabled
Resource: Dsc_securityoption

2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'

Parameters:
- dsc_interactive_logon_machine_account_lockout_threshold - [ String ] - Default: 10
Config Example:

cem_windows::config:
  control_configs:
    "(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'":
      dsc_interactive_logon_machine_account_lockout_threshold: '10'

Supported Levels:
- level_1
- level_2
- bl
Supported Profiles:
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_bitlocker_bl___optional_add_on_for_when_bitlocker_is_deployed
Alternate Config IDs:
- (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'
- 2.3.7.3
- bl_ensure_interactive_logon_machine_account_lockout_threshold_is_set_to_10_or_fewer_invalid_logon_attempts_but_not_0
Resource: Dsc_securityoption

2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'

Parameters:
- dsc_interactive_logon_machine_inactivity_limit - [ String ] - Default: 900
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'":
      dsc_interactive_logon_machine_inactivity_limit: '900'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
- 2.3.7.4
- ensure_interactive_logon_machine_inactivity_limit_is_set_to_900_or_fewer_seconds_but_not_0
Resource: Dsc_securityoption

2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on'

Parameters:
- key - [ String ] - Default: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- value - [ String ] - Default: LegalNoticeText
- type - [ String ] - Default: string
- data - [ String ] - Default: Authorized Logon Only
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Configure 'Interactive logon: Message text for users attempting to log on'":
      key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
      value: 'LegalNoticeText'
      type: 'string'
      data: 'Authorized Logon Only'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Configure 'Interactive logon: Message text for users attempting to log on'
- 2.3.7.5
- configure_interactive_logon_message_text_for_users_attempting_to_log_on
Resource: Registry::value

2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on'

Parameters:
- dsc_interactive_logon_message_title_for_users_attempting_to_log_on - [ String ] - Default: Authorized Logon Only
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Configure 'Interactive logon: Message title for users attempting to log on'":
      dsc_interactive_logon_message_title_for_users_attempting_to_log_on: 'Authorized Logon Only'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Configure 'Interactive logon: Message title for users attempting to log on'
- 2.3.7.6
- configure_interactive_logon_message_title_for_users_attempting_to_log_on
Resource: Dsc_securityoption

2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'

Parameters:
- dsc_interactive_logon_number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available - [ String ] - Default: 4
Config Example:

cem_windows::config:
  control_configs:
    "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'":
      dsc_interactive_logon_number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available: '4'

Supported Levels:
- level_2
Supported Profiles:
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'
- 2.3.7.7
- ensure_interactive_logon_number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available_is_set_to_4_or_fewer_logons
Resource: Dsc_securityoption

2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'

Parameters:
- dsc_interactive_logon_prompt_user_to_change_password_before_expiration - [ String ] - Default: 14
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'":
      dsc_interactive_logon_prompt_user_to_change_password_before_expiration: '14'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
- 2.3.7.8
- ensure_interactive_logon_prompt_user_to_change_password_before_expiration_is_set_to_between_5_and_14_days
Resource: Dsc_securityoption

2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher

Parameters:
- dsc_interactive_logon_smart_card_removal_behavior - [ String ] - Default: Lock workstation
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher":
      dsc_interactive_logon_smart_card_removal_behavior: 'Lock workstation'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
- 2.3.7.9
- ensure_interactive_logon_smart_card_removal_behavior_is_set_to_lock_workstation_or_higher
Resource: Dsc_securityoption

2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Guests"]
- dsc_policy - [ String ] - Default: Deny_log_on_locally
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on locally' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: 'Deny_log_on_locally'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Deny log on locally' to include 'Guests'
- 2.2.19
- ensure_deny_log_on_locally_to_include_guests
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'

Parameters:
- dsc_microsoft_network_client_digitally_sign_communications_always - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'":
      dsc_microsoft_network_client_digitally_sign_communications_always: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
- 2.3.8.1
- ensure_microsoft_network_client_digitally_sign_communications_always_is_set_to_enabled
Resource: Dsc_securityoption

2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'

Parameters:
- dsc_microsoft_network_client_digitally_sign_communications_if_server_agrees - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'":
      dsc_microsoft_network_client_digitally_sign_communications_if_server_agrees: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
- 2.3.8.2
- ensure_microsoft_network_client_digitally_sign_communications_if_server_agrees_is_set_to_enabled
Resource: Dsc_securityoption

2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'

Parameters:
- dsc_microsoft_network_client_send_unencrypted_password_to_third_party_smb_servers - [ String ] - Default: Disabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'":
      dsc_microsoft_network_client_send_unencrypted_password_to_third_party_smb_servers: 'Disabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
- 2.3.8.3
- ensure_microsoft_network_client_send_unencrypted_password_to_third_party_smb_servers_is_set_to_disabled
Resource: Dsc_securityoption

2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
- dsc_policy - [ String ] - Default: Deny_log_on_through_Remote_Desktop_Services
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
      dsc_policy: 'Deny_log_on_through_Remote_Desktop_Services'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'
- 2.2.20
- ensure_deny_log_on_through_remote_desktop_services_to_include_guests_local_account
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'

Parameters:
- dsc_microsoft_network_server_amount_of_idle_time_required_before_suspending_session - [ String ] - Default: 15
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'":
      dsc_microsoft_network_server_amount_of_idle_time_required_before_suspending_session: '15'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'
- 2.3.9.1
- ensure_microsoft_network_server_amount_of_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes
Resource: Dsc_securityoption

2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'

Parameters:
- dsc_microsoft_network_server_digitally_sign_communications_always - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'":
      dsc_microsoft_network_server_digitally_sign_communications_always: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
- 2.3.9.2
- ensure_microsoft_network_server_digitally_sign_communications_always_is_set_to_enabled
Resource: Dsc_securityoption

2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'

Parameters:
- dsc_microsoft_network_server_digitally_sign_communications_if_client_agrees - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'":
      dsc_microsoft_network_server_digitally_sign_communications_if_client_agrees: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
- 2.3.9.3
- ensure_microsoft_network_server_digitally_sign_communications_if_client_agrees_is_set_to_enabled
Resource: Dsc_securityoption

2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'

Parameters:
- dsc_microsoft_network_server_disconnect_clients_when_logon_hours_expire - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'":
      dsc_microsoft_network_server_disconnect_clients_when_logon_hours_expire: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
- 2.3.9.4
- ensure_microsoft_network_server_disconnect_clients_when_logon_hours_expire_is_set_to_enabled
Resource: Dsc_securityoption

2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher

Parameters:
- dsc_microsoft_network_server_server_spn_target_name_validation_level - [ String ] - Default: Accept if provided by client
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher":
      dsc_microsoft_network_server_server_spn_target_name_validation_level: 'Accept if provided by client'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher
- 2.3.9.5
- ensure_microsoft_network_server_server_spn_target_name_validation_level_is_set_to_accept_if_provided_by_client_or_higher
Resource: Dsc_securityoption

2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'

Parameters:
- users - [ Array ] - Default: [""]
- dsc_policy - [ String ] - Default: Enable_computer_and_user_accounts_to_be_trusted_for_delegation
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'":
      users: [""]
      dsc_policy: 'Enable_computer_and_user_accounts_to_be_trusted_for_delegation'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'
- 2.2.21
- ensure_enable_computer_and_user_accounts_to_be_trusted_for_delegation_is_set_to_no_one
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'

Parameters:
- dsc_network_access_allow_anonymous_sid_name_translation - [ String ] - Default: Disabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'":
      dsc_network_access_allow_anonymous_sid_name_translation: 'Disabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'
- 2.3.10.1
- ensure_network_access_allow_anonymous_sidname_translation_is_set_to_disabled
Resource: Dsc_securityoption

2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'

Parameters:
- dsc_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'":
      dsc_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
- 2.3.10.2
- ensure_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_is_set_to_enabled
Resource: Dsc_securityoption

2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'

Parameters:
- dsc_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shares - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'":
      dsc_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shares: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
- 2.3.10.3
- ensure_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shares_is_set_to_enabled
Resource: Dsc_securityoption

2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'

Parameters:
- dsc_network_access_do_not_allow_storage_of_passwords_and_credentials_for_network_authentication - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'":
      dsc_network_access_do_not_allow_storage_of_passwords_and_credentials_for_network_authentication: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
- 2.3.10.4
- ensure_network_access_do_not_allow_storage_of_passwords_and_credentials_for_network_authentication_is_set_to_enabled
Resource: Dsc_securityoption

2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'

Parameters:
- dsc_network_access_let_everyone_permissions_apply_to_anonymous_users - [ String ] - Default: Disabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'":
      dsc_network_access_let_everyone_permissions_apply_to_anonymous_users: 'Disabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
- 2.3.10.5
- ensure_network_access_let_everyone_permissions_apply_to_anonymous_users_is_set_to_disabled
Resource: Dsc_securityoption

2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'

Parameters:
- dsc_network_access_named_pipes_that_can_be_accessed_anonymously - [ String ] - Default: ``
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'":
      dsc_network_access_named_pipes_that_can_be_accessed_anonymously: ''

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'
- 2.3.10.6
- ensure_network_access_named_pipes_that_can_be_accessed_anonymously_is_set_to_none
Resource: Dsc_securityoption

2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' is configured

Parameters:
- dsc_network_access_remotely_accessible_registry_paths - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Remotely accessible registry paths' is configured":
      dsc_network_access_remotely_accessible_registry_paths: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Remotely accessible registry paths' is configured
- 2.3.10.7
- ensure_network_access_remotely_accessible_registry_paths_is_configured
Resource: Dsc_securityoption

2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured

Parameters:
- dsc_network_access_remotely_accessible_registry_paths_and_subpaths - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured":
      dsc_network_access_remotely_accessible_registry_paths_and_subpaths: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured
- 2.3.10.8
- ensure_network_access_remotely_accessible_registry_paths_and_sub_paths_is_configured
Resource: Dsc_securityoption

2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'

Parameters:
- dsc_network_access_restrict_anonymous_access_to_named_pipes_and_shares - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'":
      dsc_network_access_restrict_anonymous_access_to_named_pipes_and_shares: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
- 2.3.10.9
- ensure_network_access_restrict_anonymous_access_to_named_pipes_and_shares_is_set_to_enabled
Resource: Dsc_securityoption

2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'

Parameters:
- key - [ String ] - Default: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- value - [ String ] - Default: restrictremotesam
- type - [ String ] - Default: string
- data - [ String ] - Default: O:BAG:BAD:(A;;RC;;;BA)
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'":
      key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
      value: 'restrictremotesam'
      type: 'string'
      data: 'O:BAG:BAD:(A;;RC;;;BA)'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
- 2.3.10.10
- ensure_network_access_restrict_clients_allowed_to_make_remote_calls_to_sam_is_set_to_administrators_remote_access_allow
Resource: Registry::value

2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'

Parameters:
- users - [ Array ] - Default: ["Builtin\\Administrators"]
- dsc_policy - [ String ] - Default: Force_shutdown_from_a_remote_system
- dsc_force - [ Boolean ] - Default: true
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: 'Force_shutdown_from_a_remote_system'
      dsc_force: true

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'
- 2.2.22
- ensure_force_shutdown_from_a_remote_system_is_set_to_administrators
Resource: Cem_windows::utils::userrightsassignment_wrapper

2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'

Parameters:
- dsc_network_access_shares_that_can_be_accessed_anonymously - [ String ] - Default: ``
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'":
      dsc_network_access_shares_that_can_be_accessed_anonymously: ''

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
- 2.3.10.11
- ensure_network_access_shares_that_can_be_accessed_anonymously_is_set_to_none
Resource: Dsc_securityoption

2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'

Parameters:
- dsc_network_access_sharing_and_security_model_for_local_accounts - [ String ] - Default: Classic - Local users authenticate as themselves
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'":
      dsc_network_access_sharing_and_security_model_for_local_accounts: 'Classic - Local users authenticate as themselves'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
- 2.3.10.12
- ensure_network_access_sharing_and_security_model_for_local_accounts_is_set_to_classic___local_users_authenticate_as_themselves
Resource: Dsc_securityoption

2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'

Parameters:
- key - [ String ] - Default: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- value - [ String ] - Default: UseMachineId
- type - [ String ] - Default: dword
- data - [ Integer ] - Default: 1
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'":
      key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
      value: 'UseMachineId'
      type: 'dword'
      data: 1

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
- 2.3.11.1
- ensure_network_security_allow_local_system_to_use_computer_identity_for_ntlm_is_set_to_enabled
Resource: Registry::value

2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'

Parameters:
- key - [ String ] - Default: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- value - [ String ] - Default: AllowNullSessionFallback
- type - [ String ] - Default: dword
- data - [ Integer ] - Default: 0
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'":
      key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0'
      value: 'AllowNullSessionFallback'
      type: 'dword'
      data: 0

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
- 2.3.11.2
- ensure_network_security_allow_localsystem_null_session_fallback_is_set_to_disabled
Resource: Registry::value

2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'

Parameters:
- key - [ String ] - Default: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\pku2u
- value - [ String ] - Default: AllowOnlineID
- type - [ String ] - Default: dword
- data - [ Integer ] - Default: 0
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'":
      key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\pku2u'
      value: 'AllowOnlineID'
      type: 'dword'
      data: 0

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
- 2.3.11.3
- ensure_network_security_allow_pku2u_authentication_requests_to_this_computer_to_use_online_identities_is_set_to_disabled
Resource: Registry::value

2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'

Parameters:
- dsc_network_security_configure_encryption_types_allowed_for_kerberos - [ Array ] - Default: ["AES128_HMAC_SHA1", "AES256_HMAC_SHA1", "FUTURE"]
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'":
      dsc_network_security_configure_encryption_types_allowed_for_kerberos: ["AES128_HMAC_SHA1", "AES256_HMAC_SHA1", "FUTURE"]

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
- 2.3.11.4
- ensure_network_security_configure_encryption_types_allowed_for_kerberos_is_set_to_aes128_hmac_sha1_aes256_hmac_sha1_future_encryption_types
Resource: Dsc_securityoption

2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'

Parameters:
- dsc_network_security_do_not_store_lan_manager_hash_value_on_next_password_change - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'":
      dsc_network_security_do_not_store_lan_manager_hash_value_on_next_password_change: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
- 2.3.11.5
- ensure_network_security_do_not_store_lan_manager_hash_value_on_next_password_change_is_set_to_enabled
Resource: Dsc_securityoption

2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'

Parameters:
- dsc_network_security_force_logoff_when_logon_hours_expire - [ String ] - Default: Enabled
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'":
      dsc_network_security_force_logoff_when_logon_hours_expire: 'Enabled'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
- 2.3.11.6
- ensure_network_security_force_logoff_when_logon_hours_expire_is_set_to_enabled
Resource: Dsc_securityoption

2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'

Parameters:
- key - [ String ] - Default: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- value - [ String ] - Default: LmCompatibilityLevel
- type - [ String ] - Default: dword
- data - [ Integer ] - Default: 5
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'":
      key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
      value: 'LmCompatibilityLevel'
      type: 'dword'
      data: 5

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'
- 2.3.11.7
- ensure_network_security_lan_manager_authentication_level_is_set_to_send_ntlmv2_response_only__refuse_lm__ntlm
Resource: Registry::value

2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher

Parameters:
- dsc_network_security_ldap_client_signing_requirements - [ String ] - Default: Negotiate Signing
Config Example:

cem_windows::config:
  control_configs:
    "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher":
      dsc_network_security_ldap_client_signing_requirements: 'Negotiate Signing'

Supported Levels:
- level_1
- level_2
Supported Profiles:
- profile_level_1__corporateenterprise
- profile_level_1_bitlocker_bl
- profile_level_1_bitlocker_bl__ngws_ng
- profile_level_1_ngws_ng
- profile_level_2__high_security
- profile_level_2_bitlocker_bl
- profile_level_2_bitlocker_bl__ngws_ng
- profile_level_2_ngws_ng
Alternate Config IDs:
- (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
- 2.3.11.8
- ensure_network_security_ldap_client_signing_requirements_is_set_to_negotiate_signing_or_higher
Resource: Dsc_securityoption

2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'

Change log

All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

v1.1.0 (2022-04-07)

Fixed several instances in which configurations from versions previous to v1.1.0 were not recognized.
- The configuration should now be fully backwards compatible with versions prior to v1.1.0.
Fixed an issue that required the module to exist in the same environment as the Puppet primary server.
- You can now deploy the module to a different environment than your primary server and it will work.
Improved how controls are displayed in REFERENCE.md.
Fixed incorrect Puppet Strings in init.pp.

v1.1.0 (2022-03-24)

Windows 10 content updated to match the latest benchmark version, Microsoft Windows 10 v1.12.0, released with Comply 2.4.0.
Docs have been updated to list the controls we know will still show as failed or unknown in Comply after cem_windows is applied.
- Note: This is because the Comply/CISCAT scanner looks for the registry keys configured by GPOs rather than those set locally by the user/cem_windows to determine if the rule status should be pass, fail, etc. The CIS windows benchmarks have been designed to work for domain-joined systems only but CIS is working on creating windows benchmarks for standalone systems which will resolve this issue in the long term.
Updated cem_windows to new architecture. This is a seemless change, but does offer more flexibility in how you can configure your system. Please see the README for more details

v1.0.7 (2021-12-16)

Fixed

Remove unecessary resource defaults in two Windows 2016 control classes.

v1.0.6 (2021-12-16)

Fixed

Removed unnecessary resource defaults in some Windows 2016 control classes.

v1.0.5 (2021-12-08)

Fixed

Fixed non-idempotent DSC resources
Fixed registry key for Windows 10 CIS control 1.1.6

v1.0.4 (2021-12-07)

Fixed

Fixed dsc_accountpolicy values not being set correctly
Added link to premium content install instructions to README

v1.0.3 (2021-10-13)

Fixed

Fixed default value for CIS control 2.3.1.1
Fixed parameter cem_windows::allow_local_account_rdp

v1.0.2 (2021-10-11)

Fixed

Fixed firewall profiles

v1.0.1 (2021-09-30)

Fixed

Fixed Windows 10 Hiera name

* This Changelog was automatically generated by github_changelog_generator

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started

cem_windows

Version information

This version is compatible with:

This module has been deprecated by its author since May 8th 2024.

Documentation

cem_windows

Table of Contents

Description

Setup

System requirements

Install CEM with Code Manager

Usage

Finding and setting configuration options

Alternate Config IDs

Resource Data

Top-level configuration options

Framework configuration options

CIS-specific configuration options

Control classes

Configuration Examples

Running DSC resources as a specific user

Allowing local accounts to access nodes

Enforcing specific rules

Ignoring specific rules

Configuring individual rules

Renaming Administrator and Guest accounts

Known Issues

Controls Ignored By Default Due To Errors

CEM Windows Reference

Table of Contents

CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0

1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'

1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'

2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One'

2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'

2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'

2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators'

2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'

2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators'

2.2.11 (L1) Ensure 'Create a token object' is set to 'No One'

2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

2.3.1.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'

2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'

2.3.1.3 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'

2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'

2.3.1.5 (L1) Configure 'Accounts: Rename administrator account'

2.3.1.6 (L1) Configure 'Accounts: Rename guest account'

2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One'

2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'

2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'

2.2.14 (L1) Configure 'Create symbolic links'

2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators'

2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'

2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'

2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'

2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'

2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'

2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'

2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'

`cem_windows`