Forge Home
Premium module

sce_windows

Security Compliance Enforcement for Windows

588 downloads

588 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Open Source Puppet

Security Compliance Enforcement uses Puppet policy-as-code (PaC) to enforce security configurations aligned to CIS Benchmarks and DISA STIGs, giving you a leg up on many compliance expectations and streamlining audit prep. In Puppet Enterprise, it is accessed through the included Security Compliance Management Console.

It can be applied to Puppet Enterprise or Open Source Puppet (see the compatibility list below).

Version information

  • 2.0.0 (latest)
released May 7th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.23.0 < 9.0.0
Tasks:
  • sce_delete_securitypolicy_inf

Documentation

puppetlabs/sce_windows — version 2.0.0 May 7th 2024

SCE for Windows Reference

Table of Contents

CIS Microsoft Windows Server 2016 Benchmark 2.0.0

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

  • Parameters:
  • dsc_enforce_password_history - [ Optional[Integer[0, 4294967295]] ] - Default: 24
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'":
      dsc_enforce_password_history: 24
  • Alternate Config IDs:
  • 1.1.1
  • c1_1_1
  • ensure_enforce_password_history_is_set_to_24_or_more_passwords
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

  • Parameters:
  • dsc_maximum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 60
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'":
      dsc_maximum_password_age: 60
  • Alternate Config IDs:
  • 1.1.2
  • c1_1_2
  • ensure_maximum_password_age_is_set_to_365_or_fewer_days_but_not_0
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

  • Parameters:
  • dsc_minimum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 1
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'":
      dsc_minimum_password_age: 1
  • Alternate Config IDs:
  • 1.1.3
  • c1_1_3
  • ensure_minimum_password_age_is_set_to_1_or_more_days
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

  • Parameters:
  • dsc_minimum_password_length - [ Optional[Integer[0, 4294967295]] ] - Default: 14
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'":
      dsc_minimum_password_length: 14
  • Alternate Config IDs:
  • 1.1.4
  • c1_1_4
  • ensure_minimum_password_length_is_set_to_14_or_more_characters
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

  • Parameters:
  • dsc_password_must_meet_complexity_requirements - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Enabled
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'":
      dsc_password_must_meet_complexity_requirements: "Enabled"
  • Alternate Config IDs:
  • 1.1.5
  • c1_1_5
  • ensure_password_must_meet_complexity_requirements_is_set_to_enabled
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.6 - (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

  • Parameters:
  • dsc_store_passwords_using_reversible_encryption - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Disabled
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'":
      dsc_store_passwords_using_reversible_encryption: "Disabled"
  • Alternate Config IDs:
  • 1.1.6
  • c1_1_6
  • ensure_store_passwords_using_reversible_encryption_is_set_to_disabled
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.2.1 - (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

  • Parameters:
  • dsc_account_lockout_duration - [ Optional[Integer[0, 4294967295]] ] - Default: 30
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'":
      dsc_account_lockout_duration: 30
  • Alternate Config IDs:
  • 1.2.1
  • c1_2_1
  • ensure_account_lockout_duration_is_set_to_15_or_more_minutes
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.2.2 - (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

  • Parameters:
  • dsc_account_lockout_threshold - [ Optional[Integer[0, 4294967295]] ] - Default: 5
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'":
      dsc_account_lockout_threshold: 5
  • Alternate Config IDs:
  • 1.2.2
  • c1_2_2
  • ensure_account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.2.3 - (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'

  • Parameters:
  • dsc_reset_account_lockout_counter_after - [ Optional[Integer[0, 4294967295]] ] - Default: 30
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'":
      dsc_reset_account_lockout_counter_after: 30
  • Alternate Config IDs:
  • 1.2.3
  • c1_2_3
  • ensure_allow_administrator_account_lockout_is_set_to_enabled
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.2.4 - (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

  • Parameters:
  • dsc_reset_account_lockout_counter_after - [ Optional[Integer[0, 4294967295]] ] - Default: 30
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'":
      dsc_reset_account_lockout_counter_after: 30
  • Alternate Config IDs:
  • 1.2.4
  • c1_2_4
  • ensure_reset_account_lockout_counter_after_is_set_to_15_or_more_minutes
  • Resource: Class['sce_windows::utils::accountpolicy_wrapper']

2.2.1 - (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

  • Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_Credential_Manager_as_a_trusted_caller
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'":
      users: []
      dsc_policy: "Access_Credential_Manager_as_a_trusted_caller"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.1
  • c2_2_1
  • ensure_access_credential_manager_as_a_trusted_caller_is_set_to_no_one
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Access Credential Manager as a trusted caller']

2.2.3 - (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_this_computer_from_the_network
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Access this computer from the network'  is set to 'Administrators, Authenticated Users' (MS only)":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
      dsc_policy: "Access_this_computer_from_the_network"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.3
  • c2_2_3
  • ensure_access_this_computer_from_the_network__is_set_to_administrators_authenticated_users_ms_only
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Access this computer from the network']

2.2.4 - (L1) Ensure 'Act as part of the operating system' is set to 'No One'

  • Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Act_as_part_of_the_operating_system
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Act as part of the operating system' is set to 'No One'":
      users: []
      dsc_policy: "Act_as_part_of_the_operating_system"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.4
  • c2_2_4
  • ensure_act_as_part_of_the_operating_system_is_set_to_no_one
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Act as part of the operating system']

2.2.6 - (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Adjust_memory_quotas_for_a_process
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Adjust_memory_quotas_for_a_process"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.6
  • c2_2_6
  • ensure_adjust_memory_quotas_for_a_process_is_set_to_administrators_local_service_network_service
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Adjust memory quotas for a process']

2.2.7 - (L1) Ensure 'Allow log on locally' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_locally
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on locally' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Allow_log_on_locally"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.7
  • c2_2_7
  • ensure_allow_log_on_locally_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Allow log on locally']

2.2.9 - (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_through_Remote_Desktop_Services
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)":
      users: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
      dsc_policy: "Allow_log_on_through_Remote_Desktop_Services"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.9
  • c2_2_9
  • ensure_allow_log_on_through_remote_desktop_services_is_set_to_administrators_remote_desktop_users_ms_only
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Allow log on through Remote Desktop Services']

2.2.10 - (L1) Ensure 'Back up files and directories' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Back_up_files_and_directories
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Back up files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Back_up_files_and_directories"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.10
  • c2_2_10
  • ensure_back_up_files_and_directories_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Back up files and directories']

2.2.11 - (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_system_time
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_system_time"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.11
  • c2_2_11
  • ensure_change_the_system_time_is_set_to_administrators_local_service
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Change the system time']

2.2.12 - (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_time_zone
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_time_zone"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.12
  • c2_2_12
  • ensure_change_the_time_zone_is_set_to_administrators_local_service
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Change the time zone']

2.2.13 - (L1) Ensure 'Create a pagefile' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_pagefile
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create a pagefile' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_a_pagefile"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.13
  • c2_2_13
  • ensure_create_a_pagefile_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create a pagefile']

2.2.14 - (L1) Ensure 'Create a token object' is set to 'No One'

  • Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_token_object
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create a token object' is set to 'No One'":
      users: []
      dsc_policy: "Create_a_token_object"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.14
  • c2_2_14
  • ensure_create_a_token_object_is_set_to_no_one
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create a token object']

2.2.15 - (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_global_objects
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Create_global_objects"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.15
  • c2_2_15
  • ensure_create_global_objects_is_set_to_administrators_local_service_network_service_service
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create global objects']

2.2.16 - (L1) Ensure 'Create permanent shared objects' is set to 'No One'

  • Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_permanent_shared_objects
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create permanent shared objects' is set to 'No One'":
      users: []
      dsc_policy: "Create_permanent_shared_objects"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.16
  • c2_2_16
  • ensure_create_permanent_shared_objects_is_set_to_no_one
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create permanent shared objects']

2.2.18 - (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_symbolic_links
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\\Virtual Machines' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_symbolic_links"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.18
  • c2_2_18
  • ensure_create_symbolic_links_is_set_to_administrators_nt_virtual_machinevirtual_machines_ms_only
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create symbolic links']

2.2.19 - (L1) Ensure 'Debug programs' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Debug_programs
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Debug programs' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Debug_programs"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.19
  • c2_2_19
  • ensure_debug_programs_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Debug programs']

2.2.21 - (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_access_to_this_computer_from_the_network
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
      dsc_policy: "Deny_access_to_this_computer_from_the_network"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.21
  • c2_2_21
  • ensure_deny_access_to_this_computer_from_the_network_to_include_guests_local_account_and_member_of_administrators_group_ms_only
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny access to this computer from the network']

2.2.22 - (L1) Ensure 'Deny log on as a batch job' to include 'Guests'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_batch_job
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_batch_job"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.22
  • c2_2_22
  • ensure_deny_log_on_as_a_batch_job_to_include_guests
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on as a batch job']

2.2.23 - (L1) Ensure 'Deny log on as a service' to include 'Guests'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_service
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a service' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_service"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.23
  • c2_2_23
  • ensure_deny_log_on_as_a_service_to_include_guests
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on as a service']

2.2.24 - (L1) Ensure 'Deny log on locally' to include 'Guests'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_locally
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on locally' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_locally"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.24
  • c2_2_24
  • ensure_deny_log_on_locally_to_include_guests
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on locally']

2.2.26 - (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_through_Remote_Desktop_Services
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
      dsc_policy: "Deny_log_on_through_Remote_Desktop_Services"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.26
  • c2_2_26
  • ensure_deny_log_on_through_remote_desktop_services_is_set_to_guests_local_account_ms_only
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on through Remote Desktop Services']

2.2.28 - (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)

  • Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Enable_computer_and_user_accounts_to_be_trusted_for_delegation
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)":
      users: []
      dsc_policy: "Enable_computer_and_user_accounts_to_be_trusted_for_delegation"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.28
  • c2_2_28
  • ensure_enable_computer_and_user_accounts_to_be_trusted_for_delegation_is_set_to_no_one_ms_only
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Enable computer and user accounts to be trusted for delegation']

2.2.29 - (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Force_shutdown_from_a_remote_system
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Force_shutdown_from_a_remote_system"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.29
  • c2_2_29
  • ensure_force_shutdown_from_a_remote_system_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Force shutdown from a remote system']

2.2.30 - (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'

  • Parameters:
  • users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Generate_security_audits
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Generate_security_audits"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.30
  • c2_2_30
  • ensure_generate_security_audits_is_set_to_local_service_network_service
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Generate security audits']

2.2.32 - (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)

  • Parameters:
  • users - [ Array[String] ] - Default: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Impersonate_a_client_after_authentication
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)":
      users: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Impersonate_a_client_after_authentication"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.32
  • c2_2_32
  • ensure_impersonate_a_client_after_authentication_is_set_to_administrators_local_service_network_service_service_and_when_the_web_server_iis_role_with_web_services_role_service_is_installed_iis_iusrs_ms_only
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Impersonate a client after authentication']

2.2.33 - (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Increase_scheduling_priority
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Increase_scheduling_priority"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.33
  • c2_2_33
  • ensure_increase_scheduling_priority_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Increase scheduling priority']

2.2.34 - (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Load_and_unload_device_drivers
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Load_and_unload_device_drivers"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.34
  • c2_2_34
  • ensure_load_and_unload_device_drivers_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Load and unload device drivers']

2.2.35 - (L1) Ensure 'Lock pages in memory' is set to 'No One'

  • Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Lock_pages_in_memory
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Lock pages in memory' is set to 'No One'":
      users: []
      dsc_policy: "Lock_pages_in_memory"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.35
  • c2_2_35
  • ensure_lock_pages_in_memory_is_set_to_no_one
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Lock pages in memory']

2.2.38 - (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Manage_auditing_and_security_log
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Manage_auditing_and_security_log"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.38
  • c2_2_38
  • ensure_manage_auditing_and_security_log_is_set_to_administrators_ms_only
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Manage auditing and security log']

2.2.39 - (L1) Ensure 'Modify an object label' is set to 'No One'

  • Parameters:
  • users - [ Array[String] ] - Default: []
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_an_object_label
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Modify an object label' is set to 'No One'":
      users: []
      dsc_policy: "Modify_an_object_label"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.39
  • c2_2_39
  • ensure_modify_an_object_label_is_set_to_no_one
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Modify an object label']

2.2.40 - (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_firmware_environment_values
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Modify_firmware_environment_values"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.40
  • c2_2_40
  • ensure_modify_firmware_environment_values_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Modify firmware environment values']

2.2.41 - (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Perform_volume_maintenance_tasks
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Perform_volume_maintenance_tasks"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.41
  • c2_2_41
  • ensure_perform_volume_maintenance_tasks_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Perform volume maintenance tasks']

2.2.42 - (L1) Ensure 'Profile single process' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_single_process
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Profile single process' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Profile_single_process"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.42
  • c2_2_42
  • ensure_profile_single_process_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Profile single process']

2.2.43 - (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_system_performance
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\\WdiServiceHost'":
      users: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
      dsc_policy: "Profile_system_performance"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.43
  • c2_2_43
  • ensure_profile_system_performance_is_set_to_administrators_nt_servicewdiservicehost
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Profile system performance']

2.2.44 - (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

  • Parameters:
  • users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Replace_a_process_level_token
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Replace_a_process_level_token"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.44
  • c2_2_44
  • ensure_replace_a_process_level_token_is_set_to_local_service_network_service
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Replace a process level token']

2.2.45 - (L1) Ensure 'Restore files and directories' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Restore_files_and_directories
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Restore files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Restore_files_and_directories"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.45
  • c2_2_45
  • ensure_restore_files_and_directories_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Restore files and directories']

2.2.46 - (L1) Ensure 'Shut down the system' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Shut_down_the_system
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Shut down the system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Shut_down_the_system"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.46
  • c2_2_46
  • ensure_shut_down_the_system_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Shut down the system']

2.2.48 - (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'

  • Parameters:
  • users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
  • dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Take_ownership_of_files_or_other_objects
  • dsc_force - [ Boolean ] - Default: true
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Take_ownership_of_files_or_other_objects"
      dsc_force: true
  • Alternate Config IDs:
  • 2.2.48
  • c2_2_48
  • ensure_take_ownership_of_files_or_other_objects_is_set_to_administrators
  • Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Take ownership of files or other objects']

2.3.1.1 - (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'

  • Parameters:
  • dsc_accounts_block_microsoft_accounts - [ Optional[Enum[\This policy is disabled\, \Users cant add Microsoft accounts\, \Users cant add or log on with Microsoft accounts\]] ] - Default: Users cant add or log on with Microsoft accounts
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'":
      dsc_accounts_block_microsoft_accounts: "Users cant add or log on with Microsoft accounts"
  • Alternate Config IDs:
  • 2.3.1.1
  • c2_3_1_1
  • ensure_accounts_block_microsoft_accounts_is_set_to_users_cant_add_or_log_on_with_microsoft_accounts
  • Resource: Class['sce_windows::utils::securityoption_wrapper']

2.3.1.2 - (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)

  • Parameters:
  • dsc_accounts_guest_account_status - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Disabled
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)":
      dsc_accounts_guest_account_status: "Disabled"
  • Alternate Config IDs:
  • 2.3.1.2
  • c2_3_1_2
  • ensure_accounts_guest_account_status_is_set_to_disabled_ms_only
  • Resource: Class['sce_windows::utils::securityoption_wrapper']

2.3.1.3 - (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'

  • Parameters:
  • dsc_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Enabled
  • Supported Levels:
  • level_1
  • Supported Profiles:
  • member_server
  • Hiera Configuration Example:
sce_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'":
      dsc_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only: "Enabled"
  • Alternate Config IDs:
  • 2.3.1.3
  • c2_3_1_3
  • ensure_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_enabled
  • Resource: Class['sce_windows::utils::securityoption_wrapper']

2.3.1.4 - (L1) Configure 'Accounts: Rename administrator account'