Forge Home
Premium module

cem_windows

Compliance Enforcement Module for Windows

2,911 downloads

542 latest version

Version information

  • 1.3.0 (latest)
  • 1.2.3
  • 1.2.2
  • 1.2.1
  • 1.2.0
  • 1.1.2
  • 1.1.1
  • 1.1.0
  • 1.0.7
  • 1.0.6
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
released Dec 15th 2022
This version is compatible with:
  • Puppet Enterprise 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.23.0 < 8.0.0
Tasks:
  • cem_delete_securitypolicy_inf

Documentation

puppetlabs/cem_windows — version 1.3.0 Dec 15th 2022

CEM Windows Reference

Table of Contents

CIS Microsoft Windows Server 2016 Benchmark 1.4.0

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

  • Parameters:
    • dsc_enforce_password_history - [ Optional[Integer[0, 4294967295]] ] - Default: 24
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'":
      dsc_enforce_password_history: 24
  • Alternate Config IDs:
    • 1.1.1
    • c1_1_1
    • ensure_enforce_password_history_is_set_to_24_or_more_passwords
  • Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

  • Parameters:
    • dsc_maximum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 60
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'":
      dsc_maximum_password_age: 60
  • Alternate Config IDs:
    • 1.1.2
    • c1_1_2
    • ensure_maximum_password_age_is_set_to_365_or_fewer_days_but_not_0
  • Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

  • Parameters:
    • dsc_minimum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 1
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'":
      dsc_minimum_password_age: 1
  • Alternate Config IDs:
    • 1.1.3
    • c1_1_3
    • ensure_minimum_password_age_is_set_to_1_or_more_days
  • Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

  • Parameters:
    • dsc_minimum_password_length - [ Optional[Integer[0, 4294967295]] ] - Default: 14
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'":
      dsc_minimum_password_length: 14
  • Alternate Config IDs:
    • 1.1.4
    • c1_1_4
    • ensure_minimum_password_length_is_set_to_14_or_more_characters
  • Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

  • Parameters:
    • dsc_password_must_meet_complexity_requirements - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Enabled
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'":
      dsc_password_must_meet_complexity_requirements: "Enabled"
  • Alternate Config IDs:
    • 1.1.5
    • c1_1_5
    • ensure_password_must_meet_complexity_requirements_is_set_to_enabled
  • Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.1.6 - (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

  • Parameters:
    • dsc_store_passwords_using_reversible_encryption - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Disabled
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'":
      dsc_store_passwords_using_reversible_encryption: "Disabled"
  • Alternate Config IDs:
    • 1.1.6
    • c1_1_6
    • ensure_store_passwords_using_reversible_encryption_is_set_to_disabled
  • Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.2.1 - (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

  • Parameters:
    • dsc_account_lockout_duration - [ Optional[Integer[0, 4294967295]] ] - Default: 30
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'":
      dsc_account_lockout_duration: 30
  • Alternate Config IDs:
    • 1.2.1
    • c1_2_1
    • ensure_account_lockout_duration_is_set_to_15_or_more_minutes
  • Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.2.2 - (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

  • Parameters:
    • dsc_account_lockout_threshold - [ Optional[Integer[0, 4294967295]] ] - Default: 5
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'":
      dsc_account_lockout_threshold: 5
  • Alternate Config IDs:
    • 1.2.2
    • c1_2_2
    • ensure_account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0
  • Resource: Class['cem_windows::utils::accountpolicy_wrapper']

1.2.3 - (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

  • Parameters:
    • dsc_reset_account_lockout_counter_after - [ Optional[Integer[0, 4294967295]] ] - Default: 30
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'":
      dsc_reset_account_lockout_counter_after: 30
  • Alternate Config IDs:
    • 1.2.3
    • c1_2_3
    • ensure_reset_account_lockout_counter_after_is_set_to_15_or_more_minutes
  • Resource: Class['cem_windows::utils::accountpolicy_wrapper']

2.2.1 - (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

  • Parameters:
    • users - [ Array[String] ] - Default: []
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_Credential_Manager_as_a_trusted_caller
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'":
      users: []
      dsc_policy: "Access_Credential_Manager_as_a_trusted_caller"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.1
    • c2_2_1
    • ensure_access_credential_manager_as_a_trusted_caller_is_set_to_no_one
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Access Credential Manager as a trusted caller']

2.2.3 - (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_this_computer_from_the_network
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Access this computer from the network'  is set to 'Administrators, Authenticated Users' (MS only)":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
      dsc_policy: "Access_this_computer_from_the_network"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.3
    • c2_2_3
    • ensure_access_this_computer_from_the_network__is_set_to_administrators_authenticated_users_ms_only
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Access this computer from the network']

2.2.4 - (L1) Ensure 'Act as part of the operating system' is set to 'No One'

  • Parameters:
    • users - [ Array[String] ] - Default: []
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Act_as_part_of_the_operating_system
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Act as part of the operating system' is set to 'No One'":
      users: []
      dsc_policy: "Act_as_part_of_the_operating_system"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.4
    • c2_2_4
    • ensure_act_as_part_of_the_operating_system_is_set_to_no_one
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Act as part of the operating system']

2.2.6 - (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Adjust_memory_quotas_for_a_process
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Adjust_memory_quotas_for_a_process"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.6
    • c2_2_6
    • ensure_adjust_memory_quotas_for_a_process_is_set_to_administrators_local_service_network_service
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Adjust memory quotas for a process']

2.2.7 - (L1) Ensure 'Allow log on locally' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_locally
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on locally' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Allow_log_on_locally"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.7
    • c2_2_7
    • ensure_allow_log_on_locally_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Allow log on locally']

2.2.9 - (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_through_Remote_Desktop_Services
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)":
      users: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
      dsc_policy: "Allow_log_on_through_Remote_Desktop_Services"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.9
    • c2_2_9
    • ensure_allow_log_on_through_remote_desktop_services_is_set_to_administrators_remote_desktop_users_ms_only
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Allow log on through Remote Desktop Services']

2.2.10 - (L1) Ensure 'Back up files and directories' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Back_up_files_and_directories
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Back up files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Back_up_files_and_directories"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.10
    • c2_2_10
    • ensure_back_up_files_and_directories_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Back up files and directories']

2.2.11 - (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_system_time
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_system_time"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.11
    • c2_2_11
    • ensure_change_the_system_time_is_set_to_administrators_local_service
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Change the system time']

2.2.12 - (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_time_zone
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_time_zone"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.12
    • c2_2_12
    • ensure_change_the_time_zone_is_set_to_administrators_local_service
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Change the time zone']

2.2.13 - (L1) Ensure 'Create a pagefile' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_pagefile
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create a pagefile' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_a_pagefile"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.13
    • c2_2_13
    • ensure_create_a_pagefile_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create a pagefile']

2.2.14 - (L1) Ensure 'Create a token object' is set to 'No One'

  • Parameters:
    • users - [ Array[String] ] - Default: []
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_token_object
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create a token object' is set to 'No One'":
      users: []
      dsc_policy: "Create_a_token_object"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.14
    • c2_2_14
    • ensure_create_a_token_object_is_set_to_no_one
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create a token object']

2.2.15 - (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_global_objects
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Create_global_objects"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.15
    • c2_2_15
    • ensure_create_global_objects_is_set_to_administrators_local_service_network_service_service
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create global objects']

2.2.16 - (L1) Ensure 'Create permanent shared objects' is set to 'No One'

  • Parameters:
    • users - [ Array[String] ] - Default: []
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_permanent_shared_objects
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create permanent shared objects' is set to 'No One'":
      users: []
      dsc_policy: "Create_permanent_shared_objects"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.16
    • c2_2_16
    • ensure_create_permanent_shared_objects_is_set_to_no_one
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create permanent shared objects']

2.2.18 - (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_symbolic_links
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\\Virtual Machines' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_symbolic_links"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.18
    • c2_2_18
    • ensure_create_symbolic_links_is_set_to_administrators_nt_virtual_machinevirtual_machines_ms_only
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Create symbolic links']

2.2.19 - (L1) Ensure 'Debug programs' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Debug_programs
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Debug programs' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Debug_programs"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.19
    • c2_2_19
    • ensure_debug_programs_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Debug programs']

2.2.21 - (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_access_to_this_computer_from_the_network
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
      dsc_policy: "Deny_access_to_this_computer_from_the_network"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.21
    • c2_2_21
    • ensure_deny_access_to_this_computer_from_the_network_to_include_guests_local_account_and_member_of_administrators_group_ms_only
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny access to this computer from the network']

2.2.22 - (L1) Ensure 'Deny log on as a batch job' to include 'Guests'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Guests"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_batch_job
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_batch_job"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.22
    • c2_2_22
    • ensure_deny_log_on_as_a_batch_job_to_include_guests
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny log on as a batch job']

2.2.23 - (L1) Ensure 'Deny log on as a service' to include 'Guests'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Guests"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_service
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a service' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_service"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.23
    • c2_2_23
    • ensure_deny_log_on_as_a_service_to_include_guests
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny log on as a service']

2.2.24 - (L1) Ensure 'Deny log on locally' to include 'Guests'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Guests"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_locally
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on locally' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_locally"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.24
    • c2_2_24
    • ensure_deny_log_on_locally_to_include_guests
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny log on locally']

2.2.26 - (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_through_Remote_Desktop_Services
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
      dsc_policy: "Deny_log_on_through_Remote_Desktop_Services"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.26
    • c2_2_26
    • ensure_deny_log_on_through_remote_desktop_services_is_set_to_guests_local_account_ms_only
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Deny log on through Remote Desktop Services']

2.2.28 - (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)

  • Parameters:
    • users - [ Array[String] ] - Default: []
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Enable_computer_and_user_accounts_to_be_trusted_for_delegation
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)":
      users: []
      dsc_policy: "Enable_computer_and_user_accounts_to_be_trusted_for_delegation"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.28
    • c2_2_28
    • ensure_enable_computer_and_user_accounts_to_be_trusted_for_delegation_is_set_to_no_one_ms_only
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Enable computer and user accounts to be trusted for delegation']

2.2.29 - (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Force_shutdown_from_a_remote_system
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Force_shutdown_from_a_remote_system"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.29
    • c2_2_29
    • ensure_force_shutdown_from_a_remote_system_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Force shutdown from a remote system']

2.2.30 - (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'

  • Parameters:
    • users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Generate_security_audits
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Generate_security_audits"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.30
    • c2_2_30
    • ensure_generate_security_audits_is_set_to_local_service_network_service
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Generate security audits']

2.2.32 - (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)

  • Parameters:
    • users - [ Array[String] ] - Default: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Impersonate_a_client_after_authentication
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)":
      users: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Impersonate_a_client_after_authentication"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.32
    • c2_2_32
    • ensure_impersonate_a_client_after_authentication_is_set_to_administrators_local_service_network_service_service_and_when_the_web_server_iis_role_with_web_services_role_service_is_installed_iis_iusrs_ms_only
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Impersonate a client after authentication']

2.2.33 - (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Increase_scheduling_priority
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Increase_scheduling_priority"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.33
    • c2_2_33
    • ensure_increase_scheduling_priority_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Increase scheduling priority']

2.2.34 - (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Load_and_unload_device_drivers
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Load_and_unload_device_drivers"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.34
    • c2_2_34
    • ensure_load_and_unload_device_drivers_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Load and unload device drivers']

2.2.35 - (L1) Ensure 'Lock pages in memory' is set to 'No One'

  • Parameters:
    • users - [ Array[String] ] - Default: []
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Lock_pages_in_memory
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Lock pages in memory' is set to 'No One'":
      users: []
      dsc_policy: "Lock_pages_in_memory"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.35
    • c2_2_35
    • ensure_lock_pages_in_memory_is_set_to_no_one
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Lock pages in memory']

2.2.38 - (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Manage_auditing_and_security_log
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Manage_auditing_and_security_log"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.38
    • c2_2_38
    • ensure_manage_auditing_and_security_log_is_set_to_administrators_ms_only
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Manage auditing and security log']

2.2.39 - (L1) Ensure 'Modify an object label' is set to 'No One'

  • Parameters:
    • users - [ Array[String] ] - Default: []
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_an_object_label
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Modify an object label' is set to 'No One'":
      users: []
      dsc_policy: "Modify_an_object_label"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.39
    • c2_2_39
    • ensure_modify_an_object_label_is_set_to_no_one
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Modify an object label']

2.2.40 - (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_firmware_environment_values
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Modify_firmware_environment_values"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.40
    • c2_2_40
    • ensure_modify_firmware_environment_values_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Modify firmware environment values']

2.2.41 - (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Perform_volume_maintenance_tasks
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Perform_volume_maintenance_tasks"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.41
    • c2_2_41
    • ensure_perform_volume_maintenance_tasks_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Perform volume maintenance tasks']

2.2.42 - (L1) Ensure 'Profile single process' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_single_process
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Profile single process' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Profile_single_process"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.42
    • c2_2_42
    • ensure_profile_single_process_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Profile single process']

2.2.43 - (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_system_performance
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\\WdiServiceHost'":
      users: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
      dsc_policy: "Profile_system_performance"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.43
    • c2_2_43
    • ensure_profile_system_performance_is_set_to_administrators_nt_servicewdiservicehost
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Profile system performance']

2.2.44 - (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

  • Parameters:
    • users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Replace_a_process_level_token
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Replace_a_process_level_token"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.44
    • c2_2_44
    • ensure_replace_a_process_level_token_is_set_to_local_service_network_service
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Replace a process level token']

2.2.45 - (L1) Ensure 'Restore files and directories' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Restore_files_and_directories
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Restore files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Restore_files_and_directories"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.45
    • c2_2_45
    • ensure_restore_files_and_directories_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Restore files and directories']

2.2.46 - (L1) Ensure 'Shut down the system' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Shut_down_the_system
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Shut down the system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Shut_down_the_system"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.46
    • c2_2_46
    • ensure_shut_down_the_system_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Shut down the system']

2.2.48 - (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'

  • Parameters:
    • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
    • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Take_ownership_of_files_or_other_objects
    • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • domain_controller
    • member_server
  • Hiera Configuration Example:
puppetlabs-cem_windows::config:
  control_configs:
    "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Take_ownership_of_files_or_other_objects"
      dsc_force: true
  • Alternate Config IDs:
    • 2.2.48
    • c2_2_48
    • ensure_take_ownership_of_files_or_other_objects_is_set_to_administrators
  • Resource: Cem_windows::Utils::Userrightsassignment_wrapper['Take ownership of files or other objects']

2.3.1.1 - (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)