cis_security_hardening_windows: Windows main class. The entry point with most parameters processed here. It applies CIS hardeningcis_security_hardening_windows::cis: Windows cis class. It is called from the cis_security_hardening_windows class. Params are derived from in-module hiera and can be excluded.cis_security_hardening_windows::remote_desktop: Windows remote_desktop class. It is called from the cis_security_hardening_windows class when $allow_remote_desktop is true.
Windows main class. The entry point with most parameters processed here. It applies CIS hardening
include cis_security_hardening_windowsThe following parameters are available in the cis_security_hardening_windows class:
userspurge_unmanaged_userscis_profile_typecis_enforcement_levelcis_include_bitlockercis_include_nextgencis_exclude_rulescis_include_hkcumisc_registryenable_administratorenable_remote_desktoptrusted_rdp_subnetsremote_local_accountsperformance_powerschemeclear_temp_filesauto_restartcatalog_no_cache
Data type: Hash
Any users to create
Default value: lookup( 'users', Hash, 'deep', {})
Data type: Boolean
If unmanaged users should be purged. Requires users hash to be defined
Default value: lookup( 'purge_unmanaged_users', Boolean, undef, false )
Data type: Enum['domain', 'standalone']
Apply domain or standalone CIS benchmark
Default value: lookup( 'cis_profile_type', Enum['domain', 'standalone'], undef, 'domain' )
Data type: Integer[1, 2]
CIS level to apply. Level 2 includes level 1
Default value: lookup( 'cis_enforcement_level', Integer[1, 2], undef, 2 )
Data type: Boolean
If cis bitlocker rules should be included
Default value: lookup( 'cis_include_bitlocker', Boolean, undef, true )
Data type: Boolean
If cis nextgen rules should be included
Default value: lookup( 'cis_include_nextgen', Boolean, undef, true )
Data type: Hash
Lookup of optional hash for cis_exclude_rules (to opt out of included rules)
Default value: lookup( 'cis_exclude_rules', Array, 'deep', [])
Data type: Boolean
If true, CIS defined local group policy objects are copied in for users as puppetlabs/registry cannot apply HKCU
Default value: lookup( 'cis_include_hkcu', Boolean, undef, true )
Data type: Hash
Lookup of misc registry items to apply. Currently sets Puppet logging to event viewer and disables SMB1
Default value: lookup( 'misc_registry', Hash, 'deep', {})
Data type: Boolean
If the local adminsitrator account is enabled. Note that account must be renamed if enabled or not
Default value: lookup( 'enable_administrator', Boolean, undef, false )
Data type: Boolean
If true the RDP service will be enabled and firewall rule created (false)
Default value: lookup( 'enable_remote_desktop', Boolean, undef, false )
Data type: Array
Trusted subnets for inbound rdp connections for firewall rules. Undef will be converted to 'any'
Default value: lookup( 'trusted_rdp_subnets', Array, undef, [])
Data type: Boolean
If true and RDP is enabled, this allows local user accounts to connect remotely. Required if not domain joined (true)
Default value: lookup( 'remote_local_accounts', Boolean, undef, true )
Data type: Boolean
If true, set the powerscheme to high performance to prevent sleep.
Default value: lookup( 'performance_powerscheme', Boolean, undef, false )
Data type: Boolean
If true clears user temp and system temp directories
Default value: lookup( 'clear_temp_files', Boolean, undef, false )
Data type: Boolean
If true, restarts the host at the end of the puppet run when registry local_security_policy changes occur (recommended)
Default value: lookup( 'auto_restart', Boolean, undef, true )
Data type: Boolean
Do not cache the puppet catalog on disk, as passwords and other values are in plain text
Default value: lookup( 'catalog_no_cache', Boolean, undef, false )
Windows cis class. It is called from the cis_security_hardening_windows class. Params are derived from in-module hiera and can be excluded.
include cis_security_hardening_windowsThe following parameters are available in the cis_security_hardening_windows::cis class:
cis_profile_typecis_enforcement_levelcis_include_bitlockercis_include_nextgencis_exclude_rulescis_include_hkcu
Data type: Enum['domain', 'standalone']
Apply domain or standalone CIS benchmark
Data type: Integer[1, 2]
CIS level to apply. Level 2 includes level 1
Data type: Boolean
If cis bitlocker rules should be included
Data type: Boolean
If cis nextgen rules should be included
Data type: Hash
Lookup of optional array for cis_exclude_rules (to opt out of included rules)
Data type: Boolean
If true, lgpo is used to import group policy objects for HKCU as puppetlabs/registry cannot apply them
Windows remote_desktop class. It is called from the cis_security_hardening_windows class when $allow_remote_desktop is true.
include cis_security_hardening_windowsThe following parameters are available in the cis_security_hardening_windows::remote_desktop class:
Data type: Array
Trusted subnets for inbound rdp connections for firewall rules. Undef will be converted to 'any'
Data type: Boolean
If local accounts are permitted to connect remotely. Required if not domain joined