Premium module

sce_windows

Security Compliance Enforcement for Windows

Module Stats

964 downloads

124 latest version

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Puppet Core

Security Compliance Enforcement uses Puppet policy-as-code (PaC) to enforce security configurations aligned to CIS Benchmarks and DISA STIGs, giving you a leg up on many compliance expectations and streamlining audit prep. In Puppet Enterprise, it is accessed through the included Security Compliance Management Console.

It can be applied to Puppet Enterprise or Puppet Core (see the compatibility list below).

Version information

released Feb 25th 2025

This version is compatible with:

Puppet Enterprise 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
Puppet >= 6.23.0 < 9.0.0

Tasks:

sce_delete_securitypolicy_inf

Tags: security, hardening, compliance, cis, comply

Documentation

puppetlabs/sce_windows — version 2.1.0 Feb 25th 2025

`sce_windows`

Product documentation is available on the Puppet Docs website.

SCE for Windows Reference

CIS Microsoft Windows Server 2016 Benchmark 3.0.0
CIS Microsoft Windows Server 2019 Benchmark 3.0.1
CIS Microsoft Windows Server 2022 Benchmark 3.0.0
CIS Microsoft Windows 10 Stand-alone Benchmark 3.0.0

CIS Microsoft Windows Server 2016 Benchmark 3.0.0

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

Parameters:

dsc_enforce_password_history - [ Optional[Integer[0, 4294967295]] ] - Default: 24

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'":
      dsc_enforce_password_history: 24

Alternate Config IDs:

1.1.1
c1_1_1
ensure_enforce_password_history_is_set_to_24_or_more_passwords

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

Parameters:

dsc_maximum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 60

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'":
      dsc_maximum_password_age: 60

Alternate Config IDs:

1.1.2
c1_1_2
ensure_maximum_password_age_is_set_to_365_or_fewer_days_but_not_0

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

Parameters:

dsc_minimum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 1

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'":
      dsc_minimum_password_age: 1

Alternate Config IDs:

1.1.3
c1_1_3
ensure_minimum_password_age_is_set_to_1_or_more_days

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

Parameters:

dsc_minimum_password_length - [ Optional[Integer[0, 4294967295]] ] - Default: 14

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'":
      dsc_minimum_password_length: 14

Alternate Config IDs:

1.1.4
c1_1_4
ensure_minimum_password_length_is_set_to_14_or_more_characters

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

Parameters:

dsc_password_must_meet_complexity_requirements - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Enabled

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'":
      dsc_password_must_meet_complexity_requirements: "Enabled"

Alternate Config IDs:

1.1.5
c1_1_5
ensure_password_must_meet_complexity_requirements_is_set_to_enabled

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.1.6 - (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

Parameters:

dsc_store_passwords_using_reversible_encryption - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Disabled

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'":
      dsc_store_passwords_using_reversible_encryption: "Disabled"

Alternate Config IDs:

1.1.6
c1_1_6
ensure_store_passwords_using_reversible_encryption_is_set_to_disabled

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.2.1 - (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

Parameters:

dsc_account_lockout_duration - [ Optional[Integer[0, 4294967295]] ] - Default: 30

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'":
      dsc_account_lockout_duration: 30

Alternate Config IDs:

1.2.1
c1_2_1
ensure_account_lockout_duration_is_set_to_15_or_more_minutes

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.2.2 - (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

Parameters:

dsc_account_lockout_threshold - [ Optional[Integer[0, 4294967295]] ] - Default: 5

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'":
      dsc_account_lockout_threshold: 5

Alternate Config IDs:

1.2.2
c1_2_2
ensure_account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.2.3 - (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled' (MS only)

Parameters:

dsc_reset_account_lockout_counter_after - [ Optional[Integer[0, 4294967295]] ] - Default: 30

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled' (MS only)":
      dsc_reset_account_lockout_counter_after: 30

Alternate Config IDs:

1.2.3
c1_2_3
ensure_allow_administrator_account_lockout_is_set_to_enabled_ms_only

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.2.4 - (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

Parameters:

dsc_reset_account_lockout_counter_after - [ Optional[Integer[0, 4294967295]] ] - Default: 30

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'":
      dsc_reset_account_lockout_counter_after: 30

Alternate Config IDs:

1.2.4
c1_2_4
ensure_reset_account_lockout_counter_after_is_set_to_15_or_more_minutes

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

2.2.1 - (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

Parameters:

users - [ Array[String] ] - Default: [] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_Credential_Manager_as_a_trusted_caller - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'":
      users: []
      dsc_policy: "Access_Credential_Manager_as_a_trusted_caller"
      dsc_force: true

Alternate Config IDs:

2.2.1
c2_2_1
ensure_access_credential_manager_as_a_trusted_caller_is_set_to_no_one

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Access Credential Manager as a trusted caller']

2.2.3 - (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_this_computer_from_the_network - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Access this computer from the network'  is set to 'Administrators, Authenticated Users' (MS only)":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
      dsc_policy: "Access_this_computer_from_the_network"
      dsc_force: true

Alternate Config IDs:

2.2.3
c2_2_3
ensure_access_this_computer_from_the_network__is_set_to_administrators_authenticated_users_ms_only

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Access this computer from the network']

2.2.4 - (L1) Ensure 'Act as part of the operating system' is set to 'No One'

Parameters:

users - [ Array[String] ] - Default: [] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Act_as_part_of_the_operating_system - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Act as part of the operating system' is set to 'No One'":
      users: []
      dsc_policy: "Act_as_part_of_the_operating_system"
      dsc_force: true

Alternate Config IDs:

2.2.4
c2_2_4
ensure_act_as_part_of_the_operating_system_is_set_to_no_one

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Act as part of the operating system']

2.2.6 - (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Adjust_memory_quotas_for_a_process - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Adjust_memory_quotas_for_a_process"
      dsc_force: true

Alternate Config IDs:

2.2.6
c2_2_6
ensure_adjust_memory_quotas_for_a_process_is_set_to_administrators_local_service_network_service

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Adjust memory quotas for a process']

2.2.8 - (L1) Ensure 'Allow log on locally' is set to 'Administrators' (MS only)

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_locally - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on locally' is set to 'Administrators' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Allow_log_on_locally"
      dsc_force: true

Alternate Config IDs:

2.2.8
c2_2_8
ensure_allow_log_on_locally_is_set_to_administrators_ms_only

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Allow log on locally']

2.2.10 - (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_through_Remote_Desktop_Services - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)":
      users: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
      dsc_policy: "Allow_log_on_through_Remote_Desktop_Services"
      dsc_force: true

Alternate Config IDs:

2.2.10
c2_2_10
ensure_allow_log_on_through_remote_desktop_services_is_set_to_administrators_remote_desktop_users_ms_only

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Allow log on through Remote Desktop Services']

2.2.11 - (L1) Ensure 'Back up files and directories' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Back_up_files_and_directories - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Back up files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Back_up_files_and_directories"
      dsc_force: true

Alternate Config IDs:

2.2.11
c2_2_11
ensure_back_up_files_and_directories_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Back up files and directories']

2.2.12 - (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_system_time - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_system_time"
      dsc_force: true

Alternate Config IDs:

2.2.12
c2_2_12
ensure_change_the_system_time_is_set_to_administrators_local_service

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Change the system time']

2.2.13 - (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_time_zone - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_time_zone"
      dsc_force: true

Alternate Config IDs:

2.2.13
c2_2_13
ensure_change_the_time_zone_is_set_to_administrators_local_service

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Change the time zone']

2.2.14 - (L1) Ensure 'Create a pagefile' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_pagefile - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create a pagefile' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_a_pagefile"
      dsc_force: true

Alternate Config IDs:

2.2.14
c2_2_14
ensure_create_a_pagefile_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Create a pagefile']

2.2.15 - (L1) Ensure 'Create a token object' is set to 'No One'

Parameters:

users - [ Array[String] ] - Default: [] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_token_object - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create a token object' is set to 'No One'":
      users: []
      dsc_policy: "Create_a_token_object"
      dsc_force: true

Alternate Config IDs:

2.2.15
c2_2_15
ensure_create_a_token_object_is_set_to_no_one

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Create a token object']

2.2.16 - (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_global_objects - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Create_global_objects"
      dsc_force: true

Alternate Config IDs:

2.2.16
c2_2_16
ensure_create_global_objects_is_set_to_administrators_local_service_network_service_service

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Create global objects']

2.2.17 - (L1) Ensure 'Create permanent shared objects' is set to 'No One'

Parameters:

users - [ Array[String] ] - Default: [] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_permanent_shared_objects - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create permanent shared objects' is set to 'No One'":
      users: []
      dsc_policy: "Create_permanent_shared_objects"
      dsc_force: true

Alternate Config IDs:

2.2.17
c2_2_17
ensure_create_permanent_shared_objects_is_set_to_no_one

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Create permanent shared objects']

2.2.19 - (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_symbolic_links - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\\Virtual Machines' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_symbolic_links"
      dsc_force: true

Alternate Config IDs:

2.2.19
c2_2_19
ensure_create_symbolic_links_is_set_to_administrators_nt_virtual_machinevirtual_machines_ms_only

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Create symbolic links']

2.2.20 - (L1) Ensure 'Debug programs' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Debug_programs - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Debug programs' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Debug_programs"
      dsc_force: true

Alternate Config IDs:

2.2.20
c2_2_20
ensure_debug_programs_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Debug programs']

2.2.22 - (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_access_to_this_computer_from_the_network - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
      dsc_policy: "Deny_access_to_this_computer_from_the_network"
      dsc_force: true

Alternate Config IDs:

2.2.22
c2_2_22
ensure_deny_access_to_this_computer_from_the_network_to_include_guests_local_account_and_member_of_administrators_group_ms_only

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Deny access to this computer from the network']

2.2.23 - (L1) Ensure 'Deny log on as a batch job' to include 'Guests'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Guests"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_batch_job - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_batch_job"
      dsc_force: true

Alternate Config IDs:

2.2.23
c2_2_23
ensure_deny_log_on_as_a_batch_job_to_include_guests

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on as a batch job']

2.2.24 - (L1) Ensure 'Deny log on as a service' to include 'Guests'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Guests"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_service - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a service' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_service"
      dsc_force: true

Alternate Config IDs:

2.2.24
c2_2_24
ensure_deny_log_on_as_a_service_to_include_guests

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on as a service']

2.2.25 - (L1) Ensure 'Deny log on locally' to include 'Guests'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Guests"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_locally - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on locally' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_locally"
      dsc_force: true

Alternate Config IDs:

2.2.25
c2_2_25
ensure_deny_log_on_locally_to_include_guests

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on locally']

2.2.27 - (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_through_Remote_Desktop_Services - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
      dsc_policy: "Deny_log_on_through_Remote_Desktop_Services"
      dsc_force: true

Alternate Config IDs:

2.2.27
c2_2_27
ensure_deny_log_on_through_remote_desktop_services_is_set_to_guests_local_account_ms_only

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on through Remote Desktop Services']

2.2.29 - (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)

Parameters:

users - [ Array[String] ] - Default: [] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Enable_computer_and_user_accounts_to_be_trusted_for_delegation - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)":
      users: []
      dsc_policy: "Enable_computer_and_user_accounts_to_be_trusted_for_delegation"
      dsc_force: true

Alternate Config IDs:

2.2.29
c2_2_29
ensure_enable_computer_and_user_accounts_to_be_trusted_for_delegation_is_set_to_no_one_ms_only

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Enable computer and user accounts to be trusted for delegation']

2.2.30 - (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Force_shutdown_from_a_remote_system - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Force_shutdown_from_a_remote_system"
      dsc_force: true

Alternate Config IDs:

2.2.30
c2_2_30
ensure_force_shutdown_from_a_remote_system_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Force shutdown from a remote system']

2.2.31 - (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'

Parameters:

users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Generate_security_audits - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Generate_security_audits"
      dsc_force: true

Alternate Config IDs:

2.2.31
c2_2_31
ensure_generate_security_audits_is_set_to_local_service_network_service

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Generate security audits']

2.2.33 - (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)

Parameters:

users - [ Array[String] ] - Default: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Impersonate_a_client_after_authentication - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)":
      users: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Impersonate_a_client_after_authentication"
      dsc_force: true

Alternate Config IDs:

2.2.33
c2_2_33
ensure_impersonate_a_client_after_authentication_is_set_to_administrators_local_service_network_service_service_and_when_the_web_server_iis_role_with_web_services_role_service_is_installed_iis_iusrs_ms_only

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Impersonate a client after authentication']

2.2.34 - (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Increase_scheduling_priority - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Increase_scheduling_priority"
      dsc_force: true

Alternate Config IDs:

2.2.34
c2_2_34
ensure_increase_scheduling_priority_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Increase scheduling priority']

2.2.35 - (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Load_and_unload_device_drivers - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Load_and_unload_device_drivers"
      dsc_force: true

Alternate Config IDs:

2.2.35
c2_2_35
ensure_load_and_unload_device_drivers_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Load and unload device drivers']

2.2.36 - (L1) Ensure 'Lock pages in memory' is set to 'No One'

Parameters:

users - [ Array[String] ] - Default: [] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Lock_pages_in_memory - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Lock pages in memory' is set to 'No One'":
      users: []
      dsc_policy: "Lock_pages_in_memory"
      dsc_force: true

Alternate Config IDs:

2.2.36
c2_2_36
ensure_lock_pages_in_memory_is_set_to_no_one

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Lock pages in memory']

2.2.39 - (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Manage_auditing_and_security_log - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Manage_auditing_and_security_log"
      dsc_force: true

Alternate Config IDs:

2.2.39
c2_2_39
ensure_manage_auditing_and_security_log_is_set_to_administrators_ms_only

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Manage auditing and security log']

2.2.40 - (L1) Ensure 'Modify an object label' is set to 'No One'

Parameters:

users - [ Array[String] ] - Default: [] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_an_object_label - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Modify an object label' is set to 'No One'":
      users: []
      dsc_policy: "Modify_an_object_label"
      dsc_force: true

Alternate Config IDs:

2.2.40
c2_2_40
ensure_modify_an_object_label_is_set_to_no_one

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Modify an object label']

2.2.41 - (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_firmware_environment_values - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Modify_firmware_environment_values"
      dsc_force: true

Alternate Config IDs:

2.2.41
c2_2_41
ensure_modify_firmware_environment_values_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Modify firmware environment values']

2.2.42 - (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Perform_volume_maintenance_tasks - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Perform_volume_maintenance_tasks"
      dsc_force: true

Alternate Config IDs:

2.2.42
c2_2_42
ensure_perform_volume_maintenance_tasks_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Perform volume maintenance tasks']

2.2.43 - (L1) Ensure 'Profile single process' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_single_process - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Profile single process' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Profile_single_process"
      dsc_force: true

Alternate Config IDs:

2.2.43
c2_2_43
ensure_profile_single_process_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Profile single process']

2.2.44 - (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_system_performance - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\\WdiServiceHost'":
      users: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
      dsc_policy: "Profile_system_performance"
      dsc_force: true

Alternate Config IDs:

2.2.44
c2_2_44
ensure_profile_system_performance_is_set_to_administrators_nt_servicewdiservicehost

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Profile system performance']

2.2.45 - (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

Parameters:

users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Replace_a_process_level_token - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Replace_a_process_level_token"
      dsc_force: true

Alternate Config IDs:

2.2.45
c2_2_45
ensure_replace_a_process_level_token_is_set_to_local_service_network_service

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Replace a process level token']

2.2.46 - (L1) Ensure 'Restore files and directories' is set to 'Administrators'

Parameters:

users - [ Array[String] ] - Default: ["Builtin\\Administrators"] - The users to apply the policy to.
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Restore_files_and_directories - The policy to apply.
dsc_force - [ Boolean ] - Default: true - Whether to force the policy.

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Restore files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Restore_files_and_directories"
      dsc_force: true

Alternate Config IDs:

2.2.46
c2_2_46
ensure_restore_files_and_directories_is_set_to_administrators

Resource:

Sce_windows::Utils::Userrightsassignment_wrapper['Restore files and directories']

sce_windows

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Puppet Core

Version information

This version is compatible with:

Tasks:

Documentation

sce_windows

SCE for Windows Reference

Table of Contents

CIS Microsoft Windows Server 2016 Benchmark 3.0.0

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.6 - (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.2.1 - (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.2.2 - (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.2.3 - (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled' (MS only)

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.2.4 - (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

2.2.1 - (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

2.2.3 - (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

`sce_windows`