CEM Windows Reference

Table of Contents

• CIS Microsoft Windows Server 2016 Benchmark 1.4.0
• CIS Microsoft Windows Server 2019 Benchmark 1.3.0
• CIS Microsoft Windows 10 Enterprise Benchmark 1.12.0

CIS Microsoft Windows Server 2016 Benchmark 1.4.0

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

• Parameters:
  • dsc_enforce_password_history - [ Optional[Integer[0, 4294967295]] ] - Default: 24
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'":
      dsc_enforce_password_history: 24

• Alternate Config IDs:
  • 1.1.1
  • c1_1_1
  • ensure_enforce_password_history_is_set_to_24_or_more_passwords
• Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

• Parameters:
  • dsc_maximum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 60
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'":
      dsc_maximum_password_age: 60

• Alternate Config IDs:
  • 1.1.2
  • c1_1_2
  • ensure_maximum_password_age_is_set_to_365_or_fewer_days_but_not_0
• Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

• Parameters:
  • dsc_minimum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 1
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'":
      dsc_minimum_password_age: 1

• Alternate Config IDs:
  • 1.1.3
  • c1_1_3
  • ensure_minimum_password_age_is_set_to_1_or_more_days
• Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

• Parameters:
  • dsc_minimum_password_length - [ Optional[Integer[0, 4294967295]] ] - Default: 14
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'":
      dsc_minimum_password_length: 14

• Alternate Config IDs:
  • 1.1.4
  • c1_1_4
  • ensure_minimum_password_length_is_set_to_14_or_more_characters
• Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

• Parameters:
  • dsc_password_must_meet_complexity_requirements - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Enabled
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'":
      dsc_password_must_meet_complexity_requirements: "Enabled"

• Alternate Config IDs:
  • 1.1.5
  • c1_1_5
  • ensure_password_must_meet_complexity_requirements_is_set_to_enabled
• Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.6 - (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

• Parameters:
  • dsc_store_passwords_using_reversible_encryption - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Disabled
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'":
      dsc_store_passwords_using_reversible_encryption: "Disabled"

• Alternate Config IDs:
  • 1.1.6
  • c1_1_6
  • ensure_store_passwords_using_reversible_encryption_is_set_to_disabled
• Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.2.1 - (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

• Parameters:
  • dsc_account_lockout_duration - [ Optional[Integer[0, 4294967295]] ] - Default: 30
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'":
      dsc_account_lockout_duration: 30

• Alternate Config IDs:
  • 1.2.1
  • c1_2_1
  • ensure_account_lockout_duration_is_set_to_15_or_more_minutes
• Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.2.2 - (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

• Parameters:
  • dsc_account_lockout_threshold - [ Optional[Integer[0, 4294967295]] ] - Default: 5
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'":
      dsc_account_lockout_threshold: 5

• Alternate Config IDs:
  • 1.2.2
  • c1_2_2
  • ensure_account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0
• Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.2.3 - (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

• Parameters:
  • dsc_reset_account_lockout_counter_after - [ Optional[Integer[0, 4294967295]] ] - Default: 30
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'":
      dsc_reset_account_lockout_counter_after: 30

• Alternate Config IDs:
  • 1.2.3
  • c1_2_3
  • ensure_reset_account_lockout_counter_after_is_set_to_15_or_more_minutes
• Resource: Class['cem_windows::utils::accountpolicy_wrapper']

2.2.1 - (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

• Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_Credential_Manager_as_a_trusted_caller
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'":
      users: []
      dsc_policy: "Access_Credential_Manager_as_a_trusted_caller"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.1
  • c2_2_1
  • ensure_access_credential_manager_as_a_trusted_caller_is_set_to_no_one
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Access Credential Manager as a trusted caller']

2.2.3 - (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_this_computer_from_the_network
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Access this computer from the network'  is set to 'Administrators, Authenticated Users' (MS only)":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
      dsc_policy: "Access_this_computer_from_the_network"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.3
  • c2_2_3
  • ensure_access_this_computer_from_the_network__is_set_to_administrators_authenticated_users_ms_only
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Access this computer from the network']

2.2.4 - (L1) Ensure 'Act as part of the operating system' is set to 'No One'

• Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Act_as_part_of_the_operating_system
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Act as part of the operating system' is set to 'No One'":
      users: []
      dsc_policy: "Act_as_part_of_the_operating_system"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.4
  • c2_2_4
  • ensure_act_as_part_of_the_operating_system_is_set_to_no_one
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Act as part of the operating system']

2.2.6 - (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Adjust_memory_quotas_for_a_process
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Adjust_memory_quotas_for_a_process"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.6
  • c2_2_6
  • ensure_adjust_memory_quotas_for_a_process_is_set_to_administrators_local_service_network_service
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Adjust memory quotas for a process']

2.2.7 - (L1) Ensure 'Allow log on locally' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_locally
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on locally' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Allow_log_on_locally"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.7
  • c2_2_7
  • ensure_allow_log_on_locally_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Allow log on locally']

2.2.9 - (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_through_Remote_Desktop_Services
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)":
      users: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
      dsc_policy: "Allow_log_on_through_Remote_Desktop_Services"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.9
  • c2_2_9
  • ensure_allow_log_on_through_remote_desktop_services_is_set_to_administrators_remote_desktop_users_ms_only
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Allow log on through Remote Desktop Services']

2.2.10 - (L1) Ensure 'Back up files and directories' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Back_up_files_and_directories
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Back up files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Back_up_files_and_directories"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.10
  • c2_2_10
  • ensure_back_up_files_and_directories_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Back up files and directories']

2.2.11 - (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_system_time
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_system_time"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.11
  • c2_2_11
  • ensure_change_the_system_time_is_set_to_administrators_local_service
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Change the system time']

2.2.12 - (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_time_zone
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_time_zone"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.12
  • c2_2_12
  • ensure_change_the_time_zone_is_set_to_administrators_local_service
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Change the time zone']

2.2.13 - (L1) Ensure 'Create a pagefile' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_pagefile
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create a pagefile' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_a_pagefile"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.13
  • c2_2_13
  • ensure_create_a_pagefile_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create a pagefile']

2.2.14 - (L1) Ensure 'Create a token object' is set to 'No One'

• Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_token_object
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create a token object' is set to 'No One'":
      users: []
      dsc_policy: "Create_a_token_object"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.14
  • c2_2_14
  • ensure_create_a_token_object_is_set_to_no_one
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create a token object']

2.2.15 - (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_global_objects
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Create_global_objects"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.15
  • c2_2_15
  • ensure_create_global_objects_is_set_to_administrators_local_service_network_service_service
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create global objects']

2.2.16 - (L1) Ensure 'Create permanent shared objects' is set to 'No One'

• Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_permanent_shared_objects
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create permanent shared objects' is set to 'No One'":
      users: []
      dsc_policy: "Create_permanent_shared_objects"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.16
  • c2_2_16
  • ensure_create_permanent_shared_objects_is_set_to_no_one
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create permanent shared objects']

2.2.18 - (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_symbolic_links
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\\Virtual Machines' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_symbolic_links"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.18
  • c2_2_18
  • ensure_create_symbolic_links_is_set_to_administrators_nt_virtual_machinevirtual_machines_ms_only
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create symbolic links']

2.2.19 - (L1) Ensure 'Debug programs' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Debug_programs
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Debug programs' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Debug_programs"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.19
  • c2_2_19
  • ensure_debug_programs_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Debug programs']

2.2.21 - (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_access_to_this_computer_from_the_network
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
      dsc_policy: "Deny_access_to_this_computer_from_the_network"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.21
  • c2_2_21
  • ensure_deny_access_to_this_computer_from_the_network_to_include_guests_local_account_and_member_of_administrators_group_ms_only
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny access to this computer from the network']

2.2.22 - (L1) Ensure 'Deny log on as a batch job' to include 'Guests'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_batch_job
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_batch_job"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.22
  • c2_2_22
  • ensure_deny_log_on_as_a_batch_job_to_include_guests
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny log on as a batch job']

2.2.23 - (L1) Ensure 'Deny log on as a service' to include 'Guests'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_service
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a service' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_service"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.23
  • c2_2_23
  • ensure_deny_log_on_as_a_service_to_include_guests
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny log on as a service']

2.2.24 - (L1) Ensure 'Deny log on locally' to include 'Guests'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_locally
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on locally' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_locally"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.24
  • c2_2_24
  • ensure_deny_log_on_locally_to_include_guests
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny log on locally']

2.2.26 - (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_through_Remote_Desktop_Services
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
      dsc_policy: "Deny_log_on_through_Remote_Desktop_Services"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.26
  • c2_2_26
  • ensure_deny_log_on_through_remote_desktop_services_is_set_to_guests_local_account_ms_only
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny log on through Remote Desktop Services']

2.2.28 - (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)

• Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Enable_computer_and_user_accounts_to_be_trusted_for_delegation
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)":
      users: []
      dsc_policy: "Enable_computer_and_user_accounts_to_be_trusted_for_delegation"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.28
  • c2_2_28
  • ensure_enable_computer_and_user_accounts_to_be_trusted_for_delegation_is_set_to_no_one_ms_only
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Enable computer and user accounts to be trusted for delegation']

2.2.29 - (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Force_shutdown_from_a_remote_system
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Force_shutdown_from_a_remote_system"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.29
  • c2_2_29
  • ensure_force_shutdown_from_a_remote_system_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Force shutdown from a remote system']

2.2.30 - (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'

• Parameters:
  • users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Generate_security_audits
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Generate_security_audits"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.30
  • c2_2_30
  • ensure_generate_security_audits_is_set_to_local_service_network_service
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Generate security audits']

2.2.32 - (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)

• Parameters:
  • users - [ Array[String] ] - Default: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Impersonate_a_client_after_authentication
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)":
      users: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Impersonate_a_client_after_authentication"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.32
  • c2_2_32
  • ensure_impersonate_a_client_after_authentication_is_set_to_administrators_local_service_network_service_service_and_when_the_web_server_iis_role_with_web_services_role_service_is_installed_iis_iusrs_ms_only
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Impersonate a client after authentication']

2.2.33 - (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Increase_scheduling_priority
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Increase_scheduling_priority"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.33
  • c2_2_33
  • ensure_increase_scheduling_priority_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Increase scheduling priority']

2.2.34 - (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Load_and_unload_device_drivers
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Load_and_unload_device_drivers"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.34
  • c2_2_34
  • ensure_load_and_unload_device_drivers_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Load and unload device drivers']

2.2.35 - (L1) Ensure 'Lock pages in memory' is set to 'No One'

• Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Lock_pages_in_memory
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Lock pages in memory' is set to 'No One'":
      users: []
      dsc_policy: "Lock_pages_in_memory"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.35
  • c2_2_35
  • ensure_lock_pages_in_memory_is_set_to_no_one
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Lock pages in memory']

2.2.38 - (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Manage_auditing_and_security_log
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Manage_auditing_and_security_log"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.38
  • c2_2_38
  • ensure_manage_auditing_and_security_log_is_set_to_administrators_ms_only
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Manage auditing and security log']

2.2.39 - (L1) Ensure 'Modify an object label' is set to 'No One'

• Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_an_object_label
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Modify an object label' is set to 'No One'":
      users: []
      dsc_policy: "Modify_an_object_label"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.39
  • c2_2_39
  • ensure_modify_an_object_label_is_set_to_no_one
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Modify an object label']

2.2.40 - (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_firmware_environment_values
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Modify_firmware_environment_values"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.40
  • c2_2_40
  • ensure_modify_firmware_environment_values_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Modify firmware environment values']

2.2.41 - (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Perform_volume_maintenance_tasks
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Perform_volume_maintenance_tasks"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.41
  • c2_2_41
  • ensure_perform_volume_maintenance_tasks_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Perform volume maintenance tasks']

2.2.42 - (L1) Ensure 'Profile single process' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_single_process
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Profile single process' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Profile_single_process"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.42
  • c2_2_42
  • ensure_profile_single_process_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Profile single process']

2.2.43 - (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_system_performance
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\\WdiServiceHost'":
      users: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
      dsc_policy: "Profile_system_performance"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.43
  • c2_2_43
  • ensure_profile_system_performance_is_set_to_administrators_nt_servicewdiservicehost
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Profile system performance']

2.2.44 - (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

• Parameters:
  • users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Replace_a_process_level_token
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Replace_a_process_level_token"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.44
  • c2_2_44
  • ensure_replace_a_process_level_token_is_set_to_local_service_network_service
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Replace a process level token']

2.2.45 - (L1) Ensure 'Restore files and directories' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Restore_files_and_directories
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Restore files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Restore_files_and_directories"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.45
  • c2_2_45
  • ensure_restore_files_and_directories_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Restore files and directories']

2.2.46 - (L1) Ensure 'Shut down the system' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Shut_down_the_system
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Shut down the system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Shut_down_the_system"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.46
  • c2_2_46
  • ensure_shut_down_the_system_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Shut down the system']

2.2.48 - (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'

• Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Take_ownership_of_files_or_other_objects
  • dsc_force - [ Boolean ] - Default: true
• Supported Levels:
  • level_1
  • level_2
• Supported Profiles:
  • domain_controller
  • member_server
• Hiera Configuration Example:

puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Take_ownership_of_files_or_other_objects"
      dsc_force: true

• Alternate Config IDs:
  • 2.2.48
  • c2_2_48
  • ensure_take_ownership_of_files_or_other_objects_is_set_to_administrators
• Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Take ownership of files or other objects']

2.3.1.1 - (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)