Premium module

sce_windows

Security Compliance Enforcement for Windows

Module Stats

175 downloads

175 latest version

5.0 quality score

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Open Source Puppet

Security Compliance Enforcement uses Puppet policy-as-code (PaC) to enforce security configurations aligned to CIS Benchmarks and DISA STIGs, giving you a leg up on many compliance expectations and streamlining audit prep. In Puppet Enterprise, it is accessed through the included Security Compliance Management Console.

It can be applied to Puppet Enterprise or Open Source Puppet (see the compatibility list below).

Version information

released May 7th 2024

This version is compatible with:

Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
Puppet >= 6.23.0 < 9.0.0

Tasks:

sce_delete_securitypolicy_inf

Tags: security, hardening, compliance, cis, comply

Documentation

puppetlabs/sce_windows — version 2.0.0 May 7th 2024

`sce_windows`

Product documentation is available on the Puppet Docs website.

SCE for Windows Reference

CIS Microsoft Windows Server 2016 Benchmark 2.0.0
CIS Microsoft Windows Server 2019 Benchmark 2.0.0
CIS Microsoft Windows Server 2022 Benchmark 2.0.0
CIS Microsoft Windows 10 Enterprise Benchmark 2.0.0

CIS Microsoft Windows Server 2016 Benchmark 2.0.0

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

Parameters:
dsc_enforce_password_history - [ Optional[Integer[0, 4294967295]] ] - Default: 24
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'":
      dsc_enforce_password_history: 24

Alternate Config IDs:
1.1.1
c1_1_1
ensure_enforce_password_history_is_set_to_24_or_more_passwords
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

Parameters:
dsc_maximum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 60
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'":
      dsc_maximum_password_age: 60

Alternate Config IDs:
1.1.2
c1_1_2
ensure_maximum_password_age_is_set_to_365_or_fewer_days_but_not_0
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

Parameters:
dsc_minimum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 1
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'":
      dsc_minimum_password_age: 1

Alternate Config IDs:
1.1.3
c1_1_3
ensure_minimum_password_age_is_set_to_1_or_more_days
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

Parameters:
dsc_minimum_password_length - [ Optional[Integer[0, 4294967295]] ] - Default: 14
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'":
      dsc_minimum_password_length: 14

Alternate Config IDs:
1.1.4
c1_1_4
ensure_minimum_password_length_is_set_to_14_or_more_characters
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

Parameters:
dsc_password_must_meet_complexity_requirements - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Enabled
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'":
      dsc_password_must_meet_complexity_requirements: "Enabled"

Alternate Config IDs:
1.1.5
c1_1_5
ensure_password_must_meet_complexity_requirements_is_set_to_enabled
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.1.6 - (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

Parameters:
dsc_store_passwords_using_reversible_encryption - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Disabled
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'":
      dsc_store_passwords_using_reversible_encryption: "Disabled"

Alternate Config IDs:
1.1.6
c1_1_6
ensure_store_passwords_using_reversible_encryption_is_set_to_disabled
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.2.1 - (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

Parameters:
dsc_account_lockout_duration - [ Optional[Integer[0, 4294967295]] ] - Default: 30
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'":
      dsc_account_lockout_duration: 30

Alternate Config IDs:
1.2.1
c1_2_1
ensure_account_lockout_duration_is_set_to_15_or_more_minutes
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.2.2 - (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

Parameters:
dsc_account_lockout_threshold - [ Optional[Integer[0, 4294967295]] ] - Default: 5
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'":
      dsc_account_lockout_threshold: 5

Alternate Config IDs:
1.2.2
c1_2_2
ensure_account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.2.3 - (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'

Parameters:
dsc_reset_account_lockout_counter_after - [ Optional[Integer[0, 4294967295]] ] - Default: 30
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'":
      dsc_reset_account_lockout_counter_after: 30

Alternate Config IDs:
1.2.3
c1_2_3
ensure_allow_administrator_account_lockout_is_set_to_enabled
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

1.2.4 - (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

Parameters:
dsc_reset_account_lockout_counter_after - [ Optional[Integer[0, 4294967295]] ] - Default: 30
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'":
      dsc_reset_account_lockout_counter_after: 30

Alternate Config IDs:
1.2.4
c1_2_4
ensure_reset_account_lockout_counter_after_is_set_to_15_or_more_minutes
Resource: Class['sce_windows::utils::accountpolicy_wrapper']

2.2.1 - (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

Parameters:
users - [ Array[String] ] - Default: []
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_Credential_Manager_as_a_trusted_caller
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'":
      users: []
      dsc_policy: "Access_Credential_Manager_as_a_trusted_caller"
      dsc_force: true

Alternate Config IDs:
2.2.1
c2_2_1
ensure_access_credential_manager_as_a_trusted_caller_is_set_to_no_one
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Access Credential Manager as a trusted caller']

2.2.3 - (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Access_this_computer_from_the_network
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Access this computer from the network'  is set to 'Administrators, Authenticated Users' (MS only)":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\Authenticated Users"]
      dsc_policy: "Access_this_computer_from_the_network"
      dsc_force: true

Alternate Config IDs:
2.2.3
c2_2_3
ensure_access_this_computer_from_the_network__is_set_to_administrators_authenticated_users_ms_only
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Access this computer from the network']

2.2.4 - (L1) Ensure 'Act as part of the operating system' is set to 'No One'

Parameters:
users - [ Array[String] ] - Default: []
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Act_as_part_of_the_operating_system
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Act as part of the operating system' is set to 'No One'":
      users: []
      dsc_policy: "Act_as_part_of_the_operating_system"
      dsc_force: true

Alternate Config IDs:
2.2.4
c2_2_4
ensure_act_as_part_of_the_operating_system_is_set_to_no_one
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Act as part of the operating system']

2.2.6 - (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Adjust_memory_quotas_for_a_process
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Adjust_memory_quotas_for_a_process"
      dsc_force: true

Alternate Config IDs:
2.2.6
c2_2_6
ensure_adjust_memory_quotas_for_a_process_is_set_to_administrators_local_service_network_service
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Adjust memory quotas for a process']

2.2.7 - (L1) Ensure 'Allow log on locally' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_locally
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on locally' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Allow_log_on_locally"
      dsc_force: true

Alternate Config IDs:
2.2.7
c2_2_7
ensure_allow_log_on_locally_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Allow log on locally']

2.2.9 - (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Allow_log_on_through_Remote_Desktop_Services
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)":
      users: ["Builtin\\Administrators", "Builtin\\Remote Desktop Users"]
      dsc_policy: "Allow_log_on_through_Remote_Desktop_Services"
      dsc_force: true

Alternate Config IDs:
2.2.9
c2_2_9
ensure_allow_log_on_through_remote_desktop_services_is_set_to_administrators_remote_desktop_users_ms_only
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Allow log on through Remote Desktop Services']

2.2.10 - (L1) Ensure 'Back up files and directories' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Back_up_files_and_directories
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Back up files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Back_up_files_and_directories"
      dsc_force: true

Alternate Config IDs:
2.2.10
c2_2_10
ensure_back_up_files_and_directories_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Back up files and directories']

2.2.11 - (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_system_time
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_system_time"
      dsc_force: true

Alternate Config IDs:
2.2.11
c2_2_11
ensure_change_the_system_time_is_set_to_administrators_local_service
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Change the system time']

2.2.12 - (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Change_the_time_zone
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE"]
      dsc_policy: "Change_the_time_zone"
      dsc_force: true

Alternate Config IDs:
2.2.12
c2_2_12
ensure_change_the_time_zone_is_set_to_administrators_local_service
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Change the time zone']

2.2.13 - (L1) Ensure 'Create a pagefile' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_pagefile
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create a pagefile' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_a_pagefile"
      dsc_force: true

Alternate Config IDs:
2.2.13
c2_2_13
ensure_create_a_pagefile_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create a pagefile']

2.2.14 - (L1) Ensure 'Create a token object' is set to 'No One'

Parameters:
users - [ Array[String] ] - Default: []
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_a_token_object
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create a token object' is set to 'No One'":
      users: []
      dsc_policy: "Create_a_token_object"
      dsc_force: true

Alternate Config IDs:
2.2.14
c2_2_14
ensure_create_a_token_object_is_set_to_no_one
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create a token object']

2.2.15 - (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_global_objects
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'":
      users: ["Builtin\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Create_global_objects"
      dsc_force: true

Alternate Config IDs:
2.2.15
c2_2_15
ensure_create_global_objects_is_set_to_administrators_local_service_network_service_service
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create global objects']

2.2.16 - (L1) Ensure 'Create permanent shared objects' is set to 'No One'

Parameters:
users - [ Array[String] ] - Default: []
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_permanent_shared_objects
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create permanent shared objects' is set to 'No One'":
      users: []
      dsc_policy: "Create_permanent_shared_objects"
      dsc_force: true

Alternate Config IDs:
2.2.16
c2_2_16
ensure_create_permanent_shared_objects_is_set_to_no_one
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create permanent shared objects']

2.2.18 - (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Create_symbolic_links
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\\Virtual Machines' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Create_symbolic_links"
      dsc_force: true

Alternate Config IDs:
2.2.18
c2_2_18
ensure_create_symbolic_links_is_set_to_administrators_nt_virtual_machinevirtual_machines_ms_only
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Create symbolic links']

2.2.19 - (L1) Ensure 'Debug programs' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Debug_programs
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Debug programs' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Debug_programs"
      dsc_force: true

Alternate Config IDs:
2.2.19
c2_2_19
ensure_debug_programs_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Debug programs']

2.2.21 - (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_access_to_this_computer_from_the_network
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account and member of Administrators Group"]
      dsc_policy: "Deny_access_to_this_computer_from_the_network"
      dsc_force: true

Alternate Config IDs:
2.2.21
c2_2_21
ensure_deny_access_to_this_computer_from_the_network_to_include_guests_local_account_and_member_of_administrators_group_ms_only
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny access to this computer from the network']

2.2.22 - (L1) Ensure 'Deny log on as a batch job' to include 'Guests'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Guests"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_batch_job
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_batch_job"
      dsc_force: true

Alternate Config IDs:
2.2.22
c2_2_22
ensure_deny_log_on_as_a_batch_job_to_include_guests
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on as a batch job']

2.2.23 - (L1) Ensure 'Deny log on as a service' to include 'Guests'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Guests"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_as_a_service
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on as a service' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_as_a_service"
      dsc_force: true

Alternate Config IDs:
2.2.23
c2_2_23
ensure_deny_log_on_as_a_service_to_include_guests
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on as a service']

2.2.24 - (L1) Ensure 'Deny log on locally' to include 'Guests'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Guests"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_locally
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on locally' to include 'Guests'":
      users: ["Builtin\\Guests"]
      dsc_policy: "Deny_log_on_locally"
      dsc_force: true

Alternate Config IDs:
2.2.24
c2_2_24
ensure_deny_log_on_locally_to_include_guests
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on locally']

2.2.26 - (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Deny_log_on_through_Remote_Desktop_Services
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)":
      users: ["Builtin\\Guests", "NT AUTHORITY\\Local account"]
      dsc_policy: "Deny_log_on_through_Remote_Desktop_Services"
      dsc_force: true

Alternate Config IDs:
2.2.26
c2_2_26
ensure_deny_log_on_through_remote_desktop_services_is_set_to_guests_local_account_ms_only
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Deny log on through Remote Desktop Services']

2.2.28 - (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)

Parameters:
users - [ Array[String] ] - Default: []
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Enable_computer_and_user_accounts_to_be_trusted_for_delegation
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)":
      users: []
      dsc_policy: "Enable_computer_and_user_accounts_to_be_trusted_for_delegation"
      dsc_force: true

Alternate Config IDs:
2.2.28
c2_2_28
ensure_enable_computer_and_user_accounts_to_be_trusted_for_delegation_is_set_to_no_one_ms_only
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Enable computer and user accounts to be trusted for delegation']

2.2.29 - (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Force_shutdown_from_a_remote_system
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Force_shutdown_from_a_remote_system"
      dsc_force: true

Alternate Config IDs:
2.2.29
c2_2_29
ensure_force_shutdown_from_a_remote_system_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Force shutdown from a remote system']

2.2.30 - (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'

Parameters:
users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Generate_security_audits
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Generate_security_audits"
      dsc_force: true

Alternate Config IDs:
2.2.30
c2_2_30
ensure_generate_security_audits_is_set_to_local_service_network_service
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Generate security audits']

2.2.32 - (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)

Parameters:
users - [ Array[String] ] - Default: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Impersonate_a_client_after_authentication
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)":
      users: ["BUILTIN\\Administrators", "NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SERVICE"]
      dsc_policy: "Impersonate_a_client_after_authentication"
      dsc_force: true

Alternate Config IDs:
2.2.32
c2_2_32
ensure_impersonate_a_client_after_authentication_is_set_to_administrators_local_service_network_service_service_and_when_the_web_server_iis_role_with_web_services_role_service_is_installed_iis_iusrs_ms_only
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Impersonate a client after authentication']

2.2.33 - (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Increase_scheduling_priority
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Increase_scheduling_priority"
      dsc_force: true

Alternate Config IDs:
2.2.33
c2_2_33
ensure_increase_scheduling_priority_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Increase scheduling priority']

2.2.34 - (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Load_and_unload_device_drivers
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Load_and_unload_device_drivers"
      dsc_force: true

Alternate Config IDs:
2.2.34
c2_2_34
ensure_load_and_unload_device_drivers_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Load and unload device drivers']

2.2.35 - (L1) Ensure 'Lock pages in memory' is set to 'No One'

Parameters:
users - [ Array[String] ] - Default: []
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Lock_pages_in_memory
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Lock pages in memory' is set to 'No One'":
      users: []
      dsc_policy: "Lock_pages_in_memory"
      dsc_force: true

Alternate Config IDs:
2.2.35
c2_2_35
ensure_lock_pages_in_memory_is_set_to_no_one
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Lock pages in memory']

2.2.38 - (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Manage_auditing_and_security_log
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Manage_auditing_and_security_log"
      dsc_force: true

Alternate Config IDs:
2.2.38
c2_2_38
ensure_manage_auditing_and_security_log_is_set_to_administrators_ms_only
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Manage auditing and security log']

2.2.39 - (L1) Ensure 'Modify an object label' is set to 'No One'

Parameters:
users - [ Array[String] ] - Default: []
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_an_object_label
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Modify an object label' is set to 'No One'":
      users: []
      dsc_policy: "Modify_an_object_label"
      dsc_force: true

Alternate Config IDs:
2.2.39
c2_2_39
ensure_modify_an_object_label_is_set_to_no_one
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Modify an object label']

2.2.40 - (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Modify_firmware_environment_values
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Modify_firmware_environment_values"
      dsc_force: true

Alternate Config IDs:
2.2.40
c2_2_40
ensure_modify_firmware_environment_values_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Modify firmware environment values']

2.2.41 - (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Perform_volume_maintenance_tasks
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Perform_volume_maintenance_tasks"
      dsc_force: true

Alternate Config IDs:
2.2.41
c2_2_41
ensure_perform_volume_maintenance_tasks_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Perform volume maintenance tasks']

2.2.42 - (L1) Ensure 'Profile single process' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_single_process
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Profile single process' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Profile_single_process"
      dsc_force: true

Alternate Config IDs:
2.2.42
c2_2_42
ensure_profile_single_process_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Profile single process']

2.2.43 - (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Profile_system_performance
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\\WdiServiceHost'":
      users: ["Builtin\\Administrators", "NT SERVICE\\WdiServiceHost"]
      dsc_policy: "Profile_system_performance"
      dsc_force: true

Alternate Config IDs:
2.2.43
c2_2_43
ensure_profile_system_performance_is_set_to_administrators_nt_servicewdiservicehost
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Profile system performance']

2.2.44 - (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

Parameters:
users - [ Array[String] ] - Default: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Replace_a_process_level_token
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'":
      users: ["NT AUTHORITY\\LOCAL SERVICE", "NT AUTHORITY\\NETWORK SERVICE"]
      dsc_policy: "Replace_a_process_level_token"
      dsc_force: true

Alternate Config IDs:
2.2.44
c2_2_44
ensure_replace_a_process_level_token_is_set_to_local_service_network_service
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Replace a process level token']

2.2.45 - (L1) Ensure 'Restore files and directories' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Restore_files_and_directories
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Restore files and directories' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Restore_files_and_directories"
      dsc_force: true

Alternate Config IDs:
2.2.45
c2_2_45
ensure_restore_files_and_directories_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Restore files and directories']

2.2.46 - (L1) Ensure 'Shut down the system' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Shut_down_the_system
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Shut down the system' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Shut_down_the_system"
      dsc_force: true

Alternate Config IDs:
2.2.46
c2_2_46
ensure_shut_down_the_system_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Shut down the system']

2.2.48 - (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'

Parameters:
users - [ Array[String] ] - Default: ["Builtin\\Administrators"]
dsc_policy - [ Enum["Create_a_token_object", "Access_this_computer_from_the_network", "Change_the_system_time", "Deny_log_on_as_a_batch_job", "Deny_log_on_through_Remote_Desktop_Services", "Create_global_objects", "Remove_computer_from_docking_station", "Deny_access_to_this_computer_from_the_network", "Act_as_part_of_the_operating_system", "Modify_firmware_environment_values", "Deny_log_on_locally", "Access_Credential_Manager_as_a_trusted_caller", "Restore_files_and_directories", "Change_the_time_zone", "Replace_a_process_level_token", "Manage_auditing_and_security_log", "Create_symbolic_links", "Modify_an_object_label", "Enable_computer_and_user_accounts_to_be_trusted_for_delegation", "Generate_security_audits", "Increase_a_process_working_set", "Take_ownership_of_files_or_other_objects", "Bypass_traverse_checking", "Log_on_as_a_service", "Shut_down_the_system", "Lock_pages_in_memory", "Impersonate_a_client_after_authentication", "Profile_system_performance", "Debug_programs", "Profile_single_process", "Allow_log_on_through_Remote_Desktop_Services", "Allow_log_on_locally", "Increase_scheduling_priority", "Synchronize_directory_service_data", "Add_workstations_to_domain", "Adjust_memory_quotas_for_a_process", "Obtain_an_impersonation_token_for_another_user_in_the_same_session", "Perform_volume_maintenance_tasks", "Load_and_unload_device_drivers", "Force_shutdown_from_a_remote_system", "Back_up_files_and_directories", "Create_a_pagefile", "Deny_log_on_as_a_service", "Log_on_as_a_batch_job", "Create_permanent_shared_objects"] ] - Default: Take_ownership_of_files_or_other_objects
dsc_force - [ Boolean ] - Default: true
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'":
      users: ["Builtin\\Administrators"]
      dsc_policy: "Take_ownership_of_files_or_other_objects"
      dsc_force: true

Alternate Config IDs:
2.2.48
c2_2_48
ensure_take_ownership_of_files_or_other_objects_is_set_to_administrators
Resource: Sce_windows::Utils::Userrightsassignment_wrapper['Take ownership of files or other objects']

2.3.1.1 - (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'

Parameters:
dsc_accounts_block_microsoft_accounts - [ Optional[Enum[\This policy is disabled\, \Users cant add Microsoft accounts\, \Users cant add or log on with Microsoft accounts\]] ] - Default: Users cant add or log on with Microsoft accounts
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'":
      dsc_accounts_block_microsoft_accounts: "Users cant add or log on with Microsoft accounts"

Alternate Config IDs:
2.3.1.1
c2_3_1_1
ensure_accounts_block_microsoft_accounts_is_set_to_users_cant_add_or_log_on_with_microsoft_accounts
Resource: Class['sce_windows::utils::securityoption_wrapper']

2.3.1.2 - (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)

Parameters:
dsc_accounts_guest_account_status - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Disabled
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)":
      dsc_accounts_guest_account_status: "Disabled"

Alternate Config IDs:
2.3.1.2
c2_3_1_2
ensure_accounts_guest_account_status_is_set_to_disabled_ms_only
Resource: Class['sce_windows::utils::securityoption_wrapper']

2.3.1.3 - (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'

Parameters:
dsc_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only - [ Optional[Enum[\Enabled\, \Disabled\]] ] - Default: Enabled
Supported Levels:
level_1
Supported Profiles:
member_server
Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'":
      dsc_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only: "Enabled"

Alternate Config IDs:
2.3.1.3
c2_3_1_3
ensure_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_enabled
Resource: Class['sce_windows::utils::securityoption_wrapper']

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started

sce_windows

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Open Source Puppet

Version information

This version is compatible with:

Tasks:

Documentation

sce_windows

SCE for Windows Reference

Table of Contents

CIS Microsoft Windows Server 2016 Benchmark 2.0.0

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

1.1.6 - (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

1.2.1 - (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

1.2.2 - (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

1.2.3 - (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'

1.2.4 - (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

2.2.1 - (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

2.2.3 - (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)

2.2.4 - (L1) Ensure 'Act as part of the operating system' is set to 'No One'

2.2.6 - (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

2.2.7 - (L1) Ensure 'Allow log on locally' is set to 'Administrators'

2.2.9 - (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)

2.2.10 - (L1) Ensure 'Back up files and directories' is set to 'Administrators'

2.2.11 - (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

2.2.12 - (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'

2.2.13 - (L1) Ensure 'Create a pagefile' is set to 'Administrators'

2.2.14 - (L1) Ensure 'Create a token object' is set to 'No One'

2.2.15 - (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

2.2.16 - (L1) Ensure 'Create permanent shared objects' is set to 'No One'

2.2.18 - (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)

2.2.19 - (L1) Ensure 'Debug programs' is set to 'Administrators'

2.2.21 - (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)

2.2.22 - (L1) Ensure 'Deny log on as a batch job' to include 'Guests'

2.2.23 - (L1) Ensure 'Deny log on as a service' to include 'Guests'

2.2.24 - (L1) Ensure 'Deny log on locally' to include 'Guests'

2.2.26 - (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)

2.2.28 - (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)

2.2.29 - (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'

2.2.30 - (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'

2.2.32 - (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)

2.2.33 - (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'

2.2.34 - (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'

2.2.35 - (L1) Ensure 'Lock pages in memory' is set to 'No One'

2.2.38 - (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)

2.2.39 - (L1) Ensure 'Modify an object label' is set to 'No One'

2.2.40 - (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'

2.2.41 - (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'

2.2.42 - (L1) Ensure 'Profile single process' is set to 'Administrators'

2.2.43 - (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'

2.2.44 - (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

2.2.45 - (L1) Ensure 'Restore files and directories' is set to 'Administrators'

2.2.46 - (L1) Ensure 'Shut down the system' is set to 'Administrators'

2.2.48 - (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'

2.3.1.1 - (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'

2.3.1.2 - (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)

2.3.1.3 - (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'

2.3.1.4 - (L1) Configure 'Accounts: Rename administrator account'

What are tasks?

Tasks in this module release

sce_delete_securitypolicy_inf

Change log

Dependencies

`sce_windows`