From e2dac83fda203794c303897e620ac0995d4851cb Mon Sep 17 00:00:00 2001 From: "matthew.tunny" Date: Tue, 21 Feb 2017 21:01:45 +1000 Subject: [PATCH 1/3] added cis standard to merge --- files/audit_settings.csv | 21 + files/localComputer.inf | 50 ++ recipes/_tobreakout_windows2012r2.rb | 532 ++++++++++++++++++ test/integration/default/default_spec.rb | 380 +++++++++++++ .../default/serverspec/default_spec.rb | 9 - 5 files changed, 983 insertions(+), 9 deletions(-) create mode 100755 files/audit_settings.csv create mode 100644 files/localComputer.inf create mode 100644 recipes/_tobreakout_windows2012r2.rb create mode 100644 test/integration/default/default_spec.rb delete mode 100644 test/integration/default/serverspec/default_spec.rb diff --git a/files/audit_settings.csv b/files/audit_settings.csv new file mode 100755 index 0000000..e6d3cdf --- /dev/null +++ b/files/audit_settings.csv @@ -0,0 +1,21 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Privilege Use Events,{0cce922a-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/files/localComputer.inf b/files/localComputer.inf new file mode 100644 index 0000000..5018dee --- /dev/null +++ b/files/localComputer.inf @@ -0,0 +1,50 @@ +[Unicode] +Unicode=yes +[Event Audit] +AuditSystemEvents = 3 +AuditLogonEvents = 0 +AuditObjectEvents = 0 +AuditPrivilegeUse = 0 +AuditPolicyChange = 0 +AuditAccountManage = 0 +AuditProcessTracking = 0 +AuditDSAccess = 0 +AuditAccountLogon = 0 +[Privilege Rights] +SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544 +SeBackupPrivilege = *S-1-5-32-544 +SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-90-0 +SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544 +SeCreatePagefilePrivilege = *S-1-5-32-544 +SeDebugPrivilege = *S-1-5-32-544 +SeRemoteShutdownPrivilege = *S-1-5-32-544 +SeAuditPrivilege = *S-1-5-19,*S-1-5-20 +SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544 +SeIncreaseBasePriorityPrivilege = *S-1-5-32-544 +SeLoadDriverPrivilege = *S-1-5-32-544 +SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559 +SeServiceLogonRight = *S-1-5-80-0 +SeInteractiveLogonRight = *S-1-5-32-544 +SeSecurityPrivilege = *S-1-5-32-544 +SeSystemEnvironmentPrivilege = *S-1-5-32-544 +SeProfileSingleProcessPrivilege = *S-1-5-32-544 +SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 +SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20 +SeRestorePrivilege = *S-1-5-32-544 +SeShutdownPrivilege = *S-1-5-32-544 +SeTakeOwnershipPrivilege = *S-1-5-32-544 +SeDenyNetworkLogonRight = *S-1-5-32-546 +SeDenyBatchLogonRight = *S-1-5-32-546 +SeDenyServiceLogonRight = *S-1-5-32-546 +SeDenyInteractiveLogonRight = *S-1-5-32-546 +SeUndockPrivilege = *S-1-5-32-544 +SeManageVolumePrivilege = *S-1-5-32-544 +SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555 +SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 +SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 +SeIncreaseWorkingSetPrivilege = *S-1-5-32-545,*S-1-5-90-0 +SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544 +SeCreateSymbolicLinkPrivilege = *S-1-5-32-544 +[Version] +signature="$CHICAGO$" +Revision=1 diff --git a/recipes/_tobreakout_windows2012r2.rb b/recipes/_tobreakout_windows2012r2.rb new file mode 100644 index 0000000..cd36ba3 --- /dev/null +++ b/recipes/_tobreakout_windows2012r2.rb @@ -0,0 +1,532 @@ +# Registry keys for Windows Server2012 R2 hardening GPO + +# Winlogon Settings +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' do + values [{ name: 'PasswordExpiryWarning', type: :dword, data: 14 }, + { name: 'ScreenSaverGracePeriod', type: :string, data: 5 }, + { name: 'AllocateDASD', type: :string, data: 0 }, + { name: 'ScRemoveOption', type: :string, data: 1 }, + { name: 'ForceUnlockLogon', type: :string, data: 0 }, + { name: 'AutoAdminLogon', type: :string, data: 0 }, # This will stop auto login for kitchen tests + { name: 'CachedLogonsCount', type: :string, data: 4 }] + action :create +end + +# LSA settings +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do + values [ # { name: 'fullprivilegeauditing', type: :binary, data: 01 }, Removed due to 31 value being passed through chef, added powershell script below + { name: 'AuditBaseObjects', type: :dword, data: 1 }, + { name: 'SCENoApplyLegacyAuditPolicy', type: :dword, data: 1 }, + { name: 'DisableDomainCreds', type: :dword, data: 1 }, + { name: 'LimitBlankPasswordUse', type: :dword, data: 1 }, + { name: 'CrashOnAuditFail', type: :dword, data: 0 }, + { name: 'RestrictAnonymousSAM', type: :dword, data: 1 }, + { name: 'RestrictAnonymous', type: :dword, data: 0 }, + { name: 'SubmitControl', type: :dword, data: 0 }, + { name: 'ForceGuest', type: :dword, data: 0 }, + { name: 'EveryoneIncludesAnonymous', type: :dword, data: 0 }, + { name: 'NoLMHash', type: :dword, data: 1 }, + { name: 'LmCompatibilityLevel', type: :dword, data: 5 }] + action :create +end + +powershell_script 'fullprivilegeauditing' do + code <<-EOH +Set-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Lsa" -Name fullprivilegeauditing -Value 01 +EOH +end + +# This setting prevents online identities from being used by PKU2U, which is a peer-to-peer authentication protocol. Authentication will be centrally managed with Windows user accounts. +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' do + values [{ + name: 'AllowOnlineID', + type: :dword, + data: 0 + }] + action :create +end + +if node['NTLM_Harden'] == false + registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' do + values [{ name: 'NTLMMinServerSec', type: :dword, data: 537_395_200 }, + { name: 'allownullsessionfallback', type: :dword, data: 0 }, + # { name: 'RestrictReceivingNTLMTraffic', type: :dword, data: 2 }, # Hashed out due to breaking WinRM + # { name: 'RestrictSendingNTLMTraffic', type: :dword, data: 2 }, # Hashed out due to breaking WinRM + { name: 'NTLMMinClientSec', type: :dword, data: 537_395_200 }, + { name: 'AuditReceivingNTLMTraffic', type: :dword, data: 2 }] + action :create + end +end + +if node['NTLM_Harden'] == true + registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' do + values [{ name: 'NTLMMinServerSec', type: :dword, data: 537_395_200 }, + { name: 'allownullsessionfallback', type: :dword, data: 0 }, + { name: 'RestrictReceivingNTLMTraffic', type: :dword, data: 2 }, + { name: 'RestrictSendingNTLMTraffic', type: :dword, data: 2 }, + { name: 'NTLMMinClientSec', type: :dword, data: 537_395_200 }, + { name: 'AuditReceivingNTLMTraffic', type: :dword, data: 2 }] + action :create + end + # Setting this on breaks test-kitchen - Federal Information Processing Standards. + registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' do + values [{ + name: 'Enabled', + type: :dword, + data: 0 + }] + action :create + end +end + +# Netlogon Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' do + values [{ name: 'MaximumPasswordAge', type: :dword, data: 30 }, + { name: 'DisablePasswordChange', type: :dword, data: 0 }, + { name: 'RefusePasswordChange', type: :dword, data: 0 }, + { name: 'SealSecureChannel', type: :dword, data: 1 }, + { name: 'RequireSignOrSeal', type: :dword, data: 1 }, + { name: 'SignSecureChannel', type: :dword, data: 1 }, + { name: 'RequireStrongKey', type: :dword, data: 1 }, + { name: 'RestrictNTLMInDomain', type: :dword, data: 7 }, + { name: 'AuditNTLMInDomain', type: :dword, data: 7 }] + action :create +end + +# TCPIP 4 Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters' do + values [{ name: 'DisableIPSourceRouting', type: :dword, data: 2 }, + { name: 'TcpMaxDataRetransmissions', type: :dword, data: 3 }] + action :create +end + +# TCPIP 6 Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters' do + values [{ name: 'DisableIPSourceRouting', type: :dword, data: 2 }, + { name: 'TcpMaxDataRetransmissions', type: :dword, data: 3 }] + action :create +end + +# System Policys +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' do + values [{ name: 'ConsentPromptBehaviorUser', type: :dword, data: 0 }, + { name: 'EnableLUA', type: :dword, data: 1 }, + { name: 'MSAOptional', type: :dword, data: 1 }, + { name: 'NoConnectedUser', type: :dword, data: 1 }, + { name: 'PromptOnSecureDesktop', type: :dword, data: 1 }, + { name: 'EnableVirtualization', type: :dword, data: 1 }, + { name: 'LocalAccountTokenFilterPolicy', type: :dword, data: 0 }, + { name: 'EnableUIADesktopToggle', type: :dword, data: 0 }, + { name: 'ConsentPromptBehaviorAdmin', type: :dword, data: 2 }, + { name: 'EnableSecureUIAPaths', type: :dword, data: 1 }, + { name: 'FilterAdministratorToken', type: :dword, data: 1 }, + { name: 'MaxDevicePasswordFailedAttempts', type: :dword, data: 10 }, + { name: 'DontDisplayLastUserName', type: :dword, data: 1 }, + { name: 'DontDisplayLockedUserId', type: :dword, data: 3 }, + { name: 'InactivityTimeoutSecs', type: :dword, data: 900 }, + { name: 'EnableInstallerDetection', type: :dword, data: 1 }, + { name: 'DisableCAD', type: :dword, data: 0 }, + { name: 'ShutdownWithoutLogon', type: :dword, data: 0 }, + { name: 'legalnoticecaption', type: :string, data: 'Company Logon Warning' }, + { name: 'legalnoticetext', type: :string, data: 'Warning text goes here...' }] + action :create +end + +# Lanman Server Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' do + values [{ name: 'enablesecuritysignature', type: :dword, data: 1 }, + { name: 'requiresecuritysignature', type: :dword, data: 1 }, + { name: 'RestrictNullSessAccess', type: :dword, data: 1 }, + { name: 'enableforcedlogoff', type: :dword, data: 1 }, + { name: 'autodisconnect', type: :dword, data: 15 }, + { name: 'SMBServerNameHardeningLevel', type: :dword, data: 0 }] + action :create +end + +# Lanman Workstation Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' do + values [{ name: 'RequireSecuritySignature', type: :dword, data: 1 }, + { name: 'EnableSecuritySignature', type: :dword, data: 1 }, + { name: 'EnablePlainTextPassword', type: :dword, data: 0 }] + action :create +end + +# Lanman Print Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' do + values [{ + name: 'AddPrinterDrivers', + type: :dword, + data: 1 + }] + action :create +end + +# LDAP Client Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' do + values [{ + name: 'LDAPClientIntegrity', + type: :dword, + data: 1 + }] + action :create +end + +# LDAP Server Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters' do + values [{ + name: 'LDAPServerIntegrity', + type: :dword, + data: 2 + }] + action :create +end + +# Session Manager +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' do + values [{ name: 'ProtectionMode', type: :dword, data: 1 }, + { name: 'SafeDllSearchMode', type: :dword, data: 1 }] + action :create +end + +# EMET Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults' do + values [{ name: 'IE', type: :string, data: '*\Internet Explorer\iexplore.exe' }, + { name: '7z', type: :string, data: '*\7-Zip\7z.exe -EAF' }, + { name: '7zFM', type: :string, data: '*\7-Zip\7zFM.exe -EAF' }, + { name: '7zGUI', type: :string, data: '*\7-Zip\7zG.exe -EAF' }, + { name: 'Access', type: :string, data: '*\OFFICE1*\MSACCESS.EXE' }, + { name: 'Acrobat', type: :string, data: '*\Adobe\Acrobat*\Acrobat\Acrobat.exe' }, + { name: 'AcrobatReader', type: :string, data: '*\Adobe\Reader*\Reader\AcroRd32.exe' }, + { name: 'Chrome', type: :string, data: '*\Google\Chrome\Application\chrome.exe -SEHOP' }, + { name: 'Excel', type: :string, data: '*\OFFICE1*\EXCEL.EXE' }, + { name: 'Firefox', type: :string, data: '*\Mozilla Firefox\firefox.exe' }, + { name: 'FirefoxPluginContainer', type: :string, data: '*\Mozilla Firefox\plugin-container.exe' }, + { name: 'FoxitReader', type: :string, data: '*\Foxit Reader\Foxit Reader.exe' }, + { name: 'GoogleTalk', type: :string, data: '*\Google\Google Talk\googletalk.exe -DEP -SEHOP' }, + { name: 'InfoPath', type: :string, data: '*\OFFICE1*\INFOPATH.EXE' }, + { name: 'iTunes', type: :string, data: '*\iTunes\iTunes.exe' }, + { name: 'jre6_java', type: :string, data: '*\Java\jre6\bin\java.exe -HeapSpray' }, + { name: 'jre6_javaw', type: :string, data: '*\Java\jre6\bin\javaw.exe -HeapSpray' }, + { name: 'jre6_javaws', type: :string, data: '*\Java\jre6\bin\javaws.exe -HeapSpray' }, + { name: 'jre7_java', type: :string, data: '*\Java\jre7\bin\java.exe -HeapSpray' }, + { name: 'jre7_javaw', type: :string, data: '*\Java\jre7\bin\javaw.exe -HeapSpray' }, + { name: 'jre7_javaws', type: :string, data: '*\Java\jre7\bin\javaws.exe -HeapSpray' }, + { name: 'jre8_java', type: :string, data: '*\Java\jre1.8*\bin\java.exe -HeapSpray' }, + { name: 'jre8_javaw', type: :string, data: '*\Java\jre1.8*\bin\javaw.exe -HeapSpray' }, + { name: 'jre8_javaws', type: :string, data: '*\Java\jre1.8*\bin\javaws.exe -HeapSpray' }, + { name: 'LiveWriter', type: :string, data: '*\Windows Live\Writer\WindowsLiveWriter.exe' }, + { name: 'Lync', type: :string, data: '*\OFFICE1*\LYNC.EXE' }, + { name: 'LyncCommunicator', type: :string, data: '*\Microsoft Lync\communicator.exe' }, + { name: 'mIRC', type: :string, data: '*\mIRC\mirc.exe' }, + { name: 'Opera', type: :string, data: '*\Opera\opera.exe' }, + { name: 'Outlook', type: :string, data: '*\OFFICE1*\OUTLOOK.EXE' }, + { name: 'PhotoGallery', type: :string, data: '*\Windows Live\Photo Gallery\WLXPhotoGallery.exe' }, + { name: 'Photoshop', type: :string, data: '*\Adobe\Adobe Photoshop CS*\Photoshop.exe' }, + { name: 'Picture Manager', type: :string, data: '*\OFFICE1*\OIS.EXE' }, + { name: 'Pidgin', type: :string, data: '*\Pidgin\pidgin.exe' }, + { name: 'PowerPoint', type: :string, data: '*\OFFICE1*\POWERPNT.EXE' }, + { name: 'PPTViewer', type: :string, data: '*\OFFICE1*\PPTVIEW.EXE' }, + { name: 'Publisher', type: :string, data: '*\OFFICE1*\MSPUB.EXE' }, + { name: 'QuickTimePlayer', type: :string, data: '*\QuickTime\QuickTimePlayer.exe' }, + { name: 'RealConverter', type: :string, data: '*\Real\RealPlayer\realconverter.exe' }, + { name: 'RealPlayer', type: :string, data: '*\Real\RealPlayer\realplay.exe' }, + { name: 'Safari', type: :string, data: '*\Safari\Safari.exe' }, + { name: 'SkyDrive', type: :string, data: '*\SkyDrive\SkyDrive.exe' }, + { name: 'Skype', type: :string, data: '*\Skype\Phone\Skype.exe -EAF' }, + { name: 'Thunderbird', type: :string, data: '*\Mozilla Thunderbird\thunderbird.exe' }, + { name: 'ThunderbirdPluginContainer', type: :string, data: '*\Mozilla Thunderbird\plugin-container.exe' }, + { name: 'UnRAR', type: :string, data: '*\WinRAR\unrar.exe' }, + { name: 'Visio', type: :string, data: '*\OFFICE1*\VISIO.EXE' }, + { name: 'VisioViewer', type: :string, data: '*\OFFICE1*\VPREVIEW.EXE' }, + { name: 'VLC', type: :string, data: '*\VideoLAN\VLC\vlc.exe' }, + { name: 'Winamp', type: :string, data: '*\Winamp\winamp.exe' }, + { name: 'WindowsLiveMail', type: :string, data: '*\Windows Live\Mail\wlmail.exe' }, + { name: 'WindowsMediaPlayer', type: :string, data: '*\Windows Media Player\wmplayer.exe -SEHOP -EAF -MandatoryASLR' }, + { name: 'WinRARConsole', type: :string, data: '*\WinRAR\rar.exe' }, + { name: 'WinRARGUI', type: :string, data: '*\WinRAR\winrar.exe' }, + { name: 'WinZip', type: :string, data: '*\WinZip\winzip32.exe' }, + { name: 'Winzip64', type: :string, data: '*\WinZip\winzip64.exe' }, + { name: 'Word', type: :string, data: '*\OFFICE1*\WINWORD.EXE' }, + { name: 'Wordpad', type: :string, data: '*\Windows NT\Accessories\wordpad.exe' }] + recursive true + action :create +end + +# EMET Sys Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings' do + values [{ name: 'DEP', type: :dword, data: 2 }] + recursive true + action :create +end + +# Session Management Kernal +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' do + values [{ + name: 'ObCaseInsensitive', + type: :dword, + data: 1 + }] + action :create +end + +# WDigest Parameters +registry_key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' do + values [{ + name: 'UseLogonCredential', + type: :dword, + data: 0 + }] + action :create +end + +# Memory Management +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management' do + values [{ + name: 'ClearPageFileAtShutdown', + type: :dword, + data: 0 + }] + action :create +end + +# RecoveryConsole Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole' do + values [{ name: 'setcommand', type: :dword, data: 0 }, + { name: 'securitylevel', type: :dword, data: 0 }] + action :create +end + +# Event Log +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security' do + values [{ + name: 'WarningLevel', + type: :dword, + data: 90 + }] + action :create +end + +# Cryptography Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography' do + values [{ + name: 'ForceKeyProtection', + type: :dword, + data: 2 + }] + action :create +end + +# CodeIdentifiers Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers' do + values [{ + name: 'authenticodeenabled', + type: :dword, + data: 0 + }] + action :create +end + +# AllowedPaths +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' do + values [{ + name: 'Machine', + type: :multi_string, + data: ['System\CurrentControlSet\Control\Print\Printers', + 'System\CurrentControlSet\Services\Eventlog', + 'Software\Microsoft\OLAP Server', + 'Software\Microsoft\Windows NT\CurrentVersion\Print', + 'Software\Microsoft\Windows NT\CurrentVersion\Windows', + 'System\CurrentControlSet\Control\ContentIndex', + 'System\CurrentControlSet\Control\Terminal Server', + 'System\CurrentControlSet\Control\Terminal Server\UserConfig', + 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', + 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', + 'System\CurrentControlSet\Services\SysmonLog'] }] + action :create +end + +# AllowedExactPaths +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' do + values [{ + name: 'Machine', + type: :multi_string, + data: ['System\CurrentControlSet\Control\ProductOptions', + 'System\CurrentControlSet\Control\Server Applications', + 'Software\Microsoft\Windows NT\CurrentVersion'] }] + action :create +end + +# WinRS Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS' do + values [{ + name: 'AllowRemoteShellAccess', + type: :dword, + data: 1 + }] + recursive true + action :create +end + +# Search Companion prevented from automatically downloading content updates. # +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' do + values [{ + name: 'DisableContentFileUpdates', + type: :dword, + data: 1 + }] + recursive true + action :create +end + +# SQMC +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' do + values [{ + name: 'CEIPEnable', + type: :dword, + data: 0 + }] + recursive true + action :create +end + +# Disable Microsoft Online Accounts +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount' do + values [{ + name: 'value', + type: :dword, + data: 0 + }] + recursive true + action :create +end + +# Disable Network SelectionUI +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' do + values [{ + name: 'DontDisplayNetworkSelectionUI', + type: :dword, + data: 1 + }] + recursive true + action :create +end + +# UAC Elevation +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer' do + values [{ + name: 'AlwaysInstallElevated', + type: :dword, + data: 0 + }] + recursive true + action :create +end + +# Audit Logs +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application' do + values [{ name: 'MaxSize', type: :dword, data: 327_68 }, + { name: 'Retention', type: :string, data: 0 }] + recursive true + action :create +end +# Audit Logs +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security' do + values [{ name: 'MaxSize', type: :dword, data: 196_608 }, + { name: 'Retention', type: :string, data: 0 }] + recursive true + action :create +end +# Audit Logs +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System' do + values [{ name: 'MaxSize', type: :dword, data: 327_68 }, + { name: 'Retention', type: :string, data: 0 }] + recursive true + action :create +end +# Auto Mount CD Drive +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' do + values [{ name: 'NoDriveTypeAutoRun', type: :dword, data: 255 }, + { name: 'NoPublishingWizard', type: :dword, data: 1 }] + action :create +end + +# Encryption of RDP +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' do + values [{ + name: 'MinEncryptionLevel', + type: :dword, + data: 3 + }] + action :create + recursive true +end + +# Index of encrypted files +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' do + values [{ + name: 'AllowIndexingEncryptedStoresOrItems', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Personalization Lock screen +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization' do + values [ + { name: 'NoLockScreenSlideshow', type: :dword, data: 1 }, + { name: 'NoLockScreenCamera', type: :dword, data: 1 }] + action :create + recursive true +end + +# Messenger +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client' do + values [{ + name: 'CEIP', + type: :dword, + data: 2 + }] + action :create + recursive true +end + +# Turn off Windows Update device driver searching +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching' do + values [{ + name: 'DontSearchWindowsUpdate', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +directory 'c:/temp' do + action :create +end + +# Local Security Policy +cookbook_file 'c:/temp/localComputer.inf' do + action :create +end + +# Reg Files for save applications +cookbook_file 'c:/temp/audit_settings.csv' do + action :create +end + +# Script to apply settings that can't be down in registry' +powershell_script 'import' do + cwd 'c:/temp' + code <<-EOH + secedit /import /db secedit.sdb /cfg localComputer.inf + secedit /configure /db secedit.sdb + auditpol /restore /File:audit_settings.csv + gpupdate /force + del "localComputer.inf" -force -ErrorAction SilentlyContinue + del "secedit.sdb" -force -ErrorAction SilentlyContinue + del "audit_settings.csv" -force -ErrorAction SilentlyContinue + EOH +end diff --git a/test/integration/default/default_spec.rb b/test/integration/default/default_spec.rb new file mode 100644 index 0000000..70f010c --- /dev/null +++ b/test/integration/default/default_spec.rb @@ -0,0 +1,380 @@ +# # encoding: utf-8 + +# Inspec test for recipe + +# The Inspec reference, with examples and extensive documentation, can be +# found at http://inspec.io/docs/reference/resources/ + +# WinLogon Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon') do + its('PasswordExpiryWarning') { should eq 14 } + its('ScreenSaverGracePeriod') { should eq '5' } + its('AllocateDASD') { should eq '0' } + its('ScRemoveOption') { should eq '1' } + its('CachedLogonsCount') { should eq '4' } +end + +# LSA tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa') do + its('FullPrivilegeAuditing') { should eq [01] } + its('AuditBaseObjects') { should eq 1 } + its('SCENoApplyLegacyAuditPolicy') { should eq 1 } + its('DisableDomainCreds') { should eq 1 } + its('LimitBlankPasswordUse') { should eq 1 } + its('CrashOnAuditFail') { should eq 0 } + its('RestrictAnonymousSAM') { should eq 1 } + its('RestrictAnonymous') { should eq 0 } + its('SubmitControl') { should eq 0 } + its('ForceGuest') { should eq 0 } + its('EveryoneIncludesAnonymous') { should eq 0 } + its('NoLMHash') { should eq 1 } + its('LmCompatibilityLevel') { should eq 5 } +end + +# LSA Pku2 tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u') do + its('AllowOnlineID') { should eq 0 } +end + +# LSA MSV1_0 Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0') do + its('NTLMMinServerSec') { should eq 537_395_200 } + its('allownullsessionfallback') { should eq 0 } + its('NTLMMinClientSec') { should eq 537_395_200 } + its('AuditReceivingNTLMTraffic') { should eq 2 } +end + +# NTLM Test +# describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0') do +# its('RestrictReceivingNTLMTraffic') { should eq 2 } +# its('RestrictSendingNTLMTraffic') { should eq 2 } +# end + +# FIPS FIPSAlgorithmPolicy Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy') do + its('Enabled') { should eq 0 } +end + +# Netlogon Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters') do + its('MaximumPasswordAge') { should eq 30 } + its('DisablePasswordChange') { should eq 0 } + its('RefusePasswordChange') { should eq 0 } + its('SealSecureChannel') { should eq 1 } + its('RequireSignOrSeal') { should eq 1 } + its('SignSecureChannel') { should eq 1 } + its('RequireStrongKey') { should eq 1 } + its('RestrictNTLMInDomain') { should eq 7 } + its('AuditNTLMInDomain') { should eq 7 } +end + +# TCPIP v4 Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters') do + its('DisableIPSourceRouting') { should eq 2 } + its('TcpMaxDataRetransmissions') { should eq 3 } +end + +# TCPIP v6 Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters') do + its('DisableIPSourceRouting') { should eq 2 } + its('TcpMaxDataRetransmissions') { should eq 3 } +end + +# Windows System Policies Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System') do + its('ConsentPromptBehaviorUser') { should eq 0 } + its('EnableLUA') { should eq 1 } + its('PromptOnSecureDesktop') { should eq 1 } + its('EnableVirtualization') { should eq 1 } + its('EnableUIADesktopToggle') { should eq 0 } + its('ConsentPromptBehaviorAdmin') { should eq 2 } + its('LocalAccountTokenFilterPolicy') { should eq 0 } + its('EnableSecureUIAPaths') { should eq 1 } + its('FilterAdministratorToken') { should eq 1 } + its('MaxDevicePasswordFailedAttempts') { should eq 10 } + its('DontDisplayLastUserName') { should eq 1 } + its('DontDisplayLockedUserId') { should eq 3 } + its('InactivityTimeoutSecs') { should eq 900 } + its('EnableInstallerDetection') { should eq 1 } + its('DisableCAD') { should eq 0 } + its('ShutdownWithoutLogon') { should eq 0 } + its('legalnoticecaption') { should eq 'Company Logon Warning' } + its('legalnoticetext') do + should eq 'Warning text goes here...' + end +end + +# LanMan Server Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters') do + its('enablesecuritysignature') { should eq 1 } + its('requiresecuritysignature') { should eq 1 } + its('RestrictNullSessAccess') { should eq 1 } + its('enableforcedlogoff') { should eq 1 } + its('autodisconnect') { should eq 15 } + its('SMBServerNameHardeningLevel') { should eq 0 } +end + +# Lanman Workstations Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters') do + its('RequireSecuritySignature') { should eq 1 } + its('EnableSecuritySignature') { should eq 1 } + its('EnablePlainTextPassword') { should eq 0 } +end + +# LDAP Client Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP') do + its('LDAPClientIntegrity') { should eq 1 } +end + +# LDAP Server Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters') do + its('LDAPServerIntegrity') { should eq 2 } +end + +# Session Manager Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager') do + its('ProtectionMode') { should eq 1 } + its('SafeDllSearchMode') { should eq 1 } +end + +# EMET (IE)Parameters Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults') do + its('IE') { should eq '*\Internet Explorer\iexplore.exe' } + its('7z') { should eq '*\7-Zip\7z.exe -EAF' } + its('7zFM') { should eq '*\7-Zip\7zFM.exe -EAF' } + its('7zGUI') { should eq '*\7-Zip\7zG.exe -EAF' } + its('Access') { should eq '*\OFFICE1*\MSACCESS.EXE' } + its('Acrobat') { should eq '*\Adobe\Acrobat*\Acrobat\Acrobat.exe' } + its('AcrobatReader') { should eq '*\Adobe\Reader*\Reader\AcroRd32.exe' } + its('Chrome') { should eq '*\Google\Chrome\Application\chrome.exe -SEHOP' } + its('Excel') { should eq '*\OFFICE1*\EXCEL.EXE' } + its('Firefox') { should eq '*\Mozilla Firefox\firefox.exe' } + its('FirefoxPluginContainer') { should eq '*\Mozilla Firefox\plugin-container.exe' } + its('FoxitReader') { should eq '*\Foxit Reader\Foxit Reader.exe' } + its('GoogleTalk') { should eq '*\Google\Google Talk\googletalk.exe -DEP -SEHOP' } + its('InfoPath') { should eq '*\OFFICE1*\INFOPATH.EXE' } + its('iTunes') { should eq '*\iTunes\iTunes.exe' } + its('jre6_java') { should eq '*\Java\jre6\bin\java.exe -HeapSpray' } + its('jre6_javaw') { should eq '*\Java\jre6\bin\javaw.exe -HeapSpray' } + its('jre6_javaws') { should eq '*\Java\jre6\bin\javaws.exe -HeapSpray' } + its('jre7_java') { should eq '*\Java\jre7\bin\java.exe -HeapSpray' } + its('jre7_javaw') { should eq '*\Java\jre7\bin\javaw.exe -HeapSpray' } + its('jre7_javaws') { should eq '*\Java\jre7\bin\javaws.exe -HeapSpray' } + its('jre8_java') { should eq '*\Java\jre1.8*\bin\java.exe -HeapSpray' } + its('jre8_javaw') { should eq '*\Java\jre1.8*\bin\javaw.exe -HeapSpray' } + its('jre8_javaws') { should eq '*\Java\jre1.8*\bin\javaws.exe -HeapSpray' } + its('LiveWriter') { should eq '*\Windows Live\Writer\WindowsLiveWriter.exe' } + its('Lync') { should eq '*\OFFICE1*\LYNC.EXE' } + its('LyncCommunicator') { should eq '*\Microsoft Lync\communicator.exe' } + its('mIRC') { should eq '*\mIRC\mirc.exe' } + its('Opera') { should eq '*\Opera\opera.exe' } + its('Outlook') { should eq '*\OFFICE1*\OUTLOOK.EXE' } + its('PhotoGallery') { should eq '*\Windows Live\Photo Gallery\WLXPhotoGallery.exe' } + its('Photoshop') { should eq '*\Adobe\Adobe Photoshop CS*\Photoshop.exe' } + its('Picture Manager') { should eq '*\OFFICE1*\OIS.EXE' } + its('Pidgin') { should eq '*\Pidgin\pidgin.exe' } + its('PowerPoint') { should eq '*\OFFICE1*\POWERPNT.EXE' } + its('PPTViewer') { should eq '*\OFFICE1*\PPTVIEW.EXE' } + its('Publisher') { should eq '*\OFFICE1*\MSPUB.EXE' } + its('QuickTimePlayer') { should eq '*\QuickTime\QuickTimePlayer.exe' } + its('RealConverter') { should eq '*\Real\RealPlayer\realconverter.exe' } + its('RealPlayer') { should eq '*\Real\RealPlayer\realplay.exe' } + its('Safari') { should eq '*\Safari\Safari.exe' } + its('SkyDrive') { should eq '*\SkyDrive\SkyDrive.exe' } + its('Skype') { should eq '*\Skype\Phone\Skype.exe -EAF' } + its('Thunderbird') { should eq '*\Mozilla Thunderbird\thunderbird.exe' } + its('ThunderbirdPluginContainer') { should eq '*\Mozilla Thunderbird\plugin-container.exe' } + its('UnRAR') { should eq '*\WinRAR\unrar.exe' } + its('Visio') { should eq '*\OFFICE1*\VISIO.EXE' } + its('VisioViewer') { should eq '*\OFFICE1*\VPREVIEW.EXE' } + its('VLC') { should eq '*\VideoLAN\VLC\vlc.exe' } + its('Winamp') { should eq '*\Winamp\winamp.exe' } + its('WindowsLiveMail') { should eq '*\Windows Live\Mail\wlmail.exe' } + its('WindowsMediaPlayer') { should eq '*\Windows Media Player\wmplayer.exe -SEHOP -EAF -MandatoryASLR' } + its('WinRARConsole') { should eq '*\WinRAR\rar.exe' } + its('WinRARGUI') { should eq '*\WinRAR\winrar.exe' } + its('WinZip') { should eq '*\WinZip\winzip32.exe' } + its('Winzip64') { should eq '*\WinZip\winzip64.exe' } + its('Word') { should eq '*\OFFICE1*\WINWORD.EXE' } + its('Wordpad') { should eq '*\Windows NT\Accessories\wordpad.exe' } +end + +# EMET (IE)Parameters Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings') do + its('DEP') { should eq 2 } +end + +# Session Management Kernal Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel') do + its('ObCaseInsensitive') { should eq 1 } +end + +# WDigest Parameters Test +describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest') do + its('UseLogonCredential') { should eq 0 } +end + +# Memory Management Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management') do + its('ClearPageFileAtShutdown') { should eq 0 } +end + +# RecoveryConsole Parameters Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole') do + its('setcommand') { should eq 0 } + its('securitylevel') { should eq 0 } +end + +# Event Log Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security') do + its('WarningLevel') { should eq 90 } +end + +# Cryptography Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography') do + its('ForceKeyProtection') { should eq 2 } +end + +# Lanman Print Drivers Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers') do + its('AddPrinterDrivers') { should eq 1 } +end + +# CodeIdentifiers Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers') do + its('authenticodeenabled') { should eq 0 } +end + +# rubocop:disable all +# AllowedPaths Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths') do + its('Machine') { should include /(System\\CurrentControlSet\\Control\\Print\\Printers)/ } +end + +# AllowedExactPaths Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths') do + its('Machine') { should include /(System\\CurrentControlSet\\Control\\ProductOptions)/ } +end + +# rubocop:enable all +# WinRS Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS') do + its('AllowRemoteShellAccess') { should eq 1 } +end + +# Search Companion prevented from automatically downloading content updates. +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion') do + its('DisableContentFileUpdates') { should eq 1 } +end + +# SQMC Test +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows') do + its('CEIPEnable') { should eq 0 } +end + +# Disable Microsoft Online Accounts Test +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount') do + its('value') { should eq 0 } +end + +# Disable Network SelectionUI Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System') do + its('DontDisplayNetworkSelectionUI') { should eq 1 } +end + +# UAC Elevation TesT +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer') do + its('AlwaysInstallElevated') { should eq 0 } +end + +# Audit Application Log Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application') do + its('MaxSize') { should eq 327_68 } + its('Retention') { should eq '0' } +end + +# Audit Security Log Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security') do + its('MaxSize') { should eq 196_608 } + its('Retention') { should eq '0' } +end + +# Audit EventLog Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System') do + its('MaxSize') { should eq 327_68 } + its('Retention') { should eq '0' } +end + +# Auto Mount CD Drive Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer') do + its('NoDriveTypeAutoRun') { should eq 255 } + its('NoPublishingWizard') { should eq 1 } +end + +# RDP encryption Test +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services') do + its('MinEncryptionLevel') { should eq 3 } +end + +# Index of Encryption Files Test +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search') do + its('AllowIndexingEncryptedStoresOrItems') { should eq 0 } +end + +# Personalization Lock screen Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization') do + its('NoLockScreenSlideshow') { should eq 1 } + its('NoLockScreenCamera') { should eq 1 } +end + +# Personalization Lock screen Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client') do + its('CEIP') { should eq 2 } +end + +# Turn off Windows Update device driver searching Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching') do + its('DontSearchWindowsUpdate') { should eq 1 } +end + +# Local Policy Script +script = <<-EOH +secedit /export /cfg c:\\temp\\tempexport.inf /quiet +Get-content C:\\temp\\tempexport.inf | findstr /B ` +/C:"SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544" ` +/C:"SeServiceLogonRight = *S-1-5-80-0" ` +/C:"SeInteractiveLogonRight = *S-1-5-32-544" ` +/C:"SeSecurityPrivilege = *S-1-5-32-544" ` +/C:"SeSystemEnvironmentPrivilege = *S-1-5-32-544" ` +/C:"SeProfileSingleProcessPrivilege = *S-1-5-32-544" ` +/C:"SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20" ` +/C:"SeRestorePrivilege = *S-1-5-32-544" ` +/C:"SeShutdownPrivilege = *S-1-5-32-544" ` +/C:"SeTakeOwnershipPrivilege = *S-1-5-32-544" ` +/C:"SeDenyNetworkLogonRight = *S-1-5-32-546" ` +/C:"SeDenyBatchLogonRight = *S-1-5-32-546" ` +/C:"SeDenyServiceLogonRight = *S-1-5-32-546" ` +/C:"SeDenyInteractiveLogonRight = *S-1-5-32-546" +del "C:\\temp\\tempexport.inf" -force -ErrorAction SilentlyContinue +EOH + +# Local Policy Tester +describe powershell(script) do + its('stdout') do + should eq "SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544\r +SeServiceLogonRight = *S-1-5-80-0\r +SeInteractiveLogonRight = *S-1-5-32-544\r +SeSecurityPrivilege = *S-1-5-32-544\r +SeSystemEnvironmentPrivilege = *S-1-5-32-544\r +SeProfileSingleProcessPrivilege = *S-1-5-32-544\r +SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20\r +SeRestorePrivilege = *S-1-5-32-544\r +SeShutdownPrivilege = *S-1-5-32-544\r +SeTakeOwnershipPrivilege = *S-1-5-32-544\r +SeDenyNetworkLogonRight = *S-1-5-32-546\r +SeDenyBatchLogonRight = *S-1-5-32-546\r +SeDenyServiceLogonRight = *S-1-5-32-546\r +SeDenyInteractiveLogonRight = *S-1-5-32-546\r\n" + end + its('stderr') { should eq '' } +end diff --git a/test/integration/default/serverspec/default_spec.rb b/test/integration/default/serverspec/default_spec.rb deleted file mode 100644 index 6fdb298..0000000 --- a/test/integration/default/serverspec/default_spec.rb +++ /dev/null @@ -1,9 +0,0 @@ -require 'spec_helper' - -describe 'base-win2012-hardening::default' do - # Serverspec examples can be found at - # http://serverspec.org/resource_types.html - it 'does something' do - skip 'Replace this with meaningful tests' - end -end From 4ae65f44c9cb60afad7f76960abb2b7297645cef Mon Sep 17 00:00:00 2001 From: "matthew.tunny" Date: Mon, 6 Mar 2017 20:52:19 +1000 Subject: [PATCH 2/3] added CIS 2012r2 L1 standard without firewall --- .kitchen.yml | 9 +- ...s.csv => CIS_2012r2_L1_audit_settings.csv} | 43 +++--- files/CIS_2012r2_L1_localComputer.inf | 139 +++++++++++++++++ files/localComputer.inf | 50 ------ metadata.rb | 15 +- ...kout_windows2012r2.rb => CIS_2012r2_L1.rb} | 143 +++++++++++------- test/integration/default/default_spec.rb | 42 ++++- 7 files changed, 301 insertions(+), 140 deletions(-) rename files/{audit_settings.csv => CIS_2012r2_L1_audit_settings.csv} (83%) mode change 100755 => 100644 create mode 100644 files/CIS_2012r2_L1_localComputer.inf delete mode 100644 files/localComputer.inf rename recipes/{_tobreakout_windows2012r2.rb => CIS_2012r2_L1.rb} (86%) diff --git a/.kitchen.yml b/.kitchen.yml index 70f4f13..fe59329 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -41,4 +41,11 @@ suites: attributes: verifier: inspec_tests: - - https://github.com/dev-sec/windows-hardening-benchmark \ No newline at end of file + - https://github.com/dev-sec/windows-hardening-benchmark + + - name: CIS_2012r2_L1 + run_list: + - recipe[base-win2012-hardening::CIS_2012r2_L1] + verifier: + inspec_tests: + - test/integration/default \ No newline at end of file diff --git a/files/audit_settings.csv b/files/CIS_2012r2_L1_audit_settings.csv old mode 100755 new mode 100644 similarity index 83% rename from files/audit_settings.csv rename to files/CIS_2012r2_L1_audit_settings.csv index e6d3cdf..434988a --- a/files/audit_settings.csv +++ b/files/CIS_2012r2_L1_audit_settings.csv @@ -1,21 +1,22 @@ -Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value -,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success,,1 -,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 -,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success,,1 -,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1 -,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 -,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 -,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Other Privilege Use Events,{0cce922a-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3 -,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Application Group Management,{0cce9239-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 \ No newline at end of file diff --git a/files/CIS_2012r2_L1_localComputer.inf b/files/CIS_2012r2_L1_localComputer.inf new file mode 100644 index 0000000..3399328 --- /dev/null +++ b/files/CIS_2012r2_L1_localComputer.inf @@ -0,0 +1,139 @@ +[Unicode] +Unicode=yes +[System Access] +MinimumPasswordAge = 1 +MaximumPasswordAge = 60 +MinimumPasswordLength = 10 +PasswordComplexity = 1 +PasswordHistorySize = 24 +LockoutBadCount = 10 +ResetLockoutCount = 15 +LockoutDuration = 15 +RequireLogonToChangePassword = 0 +ForceLogoffWhenHourExpire = 1 +NewAdministratorName = "Administrator" +NewGuestName = "Guest" +ClearTextPassword = 0 +LSAAnonymousNameLookup = 0 +EnableAdminAccount = 1 +EnableGuestAccount = 0 +[Event Audit] +AuditSystemEvents = 1 +AuditLogonEvents = 0 +AuditObjectAccess = 0 +AuditPrivilegeUse = 0 +AuditPolicyChange = 0 +AuditAccountManage = 0 +AuditProcessTracking = 0 +AuditDSAccess = 0 +AuditAccountLogon = 0 +[Registry Values] +MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 +MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 +MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,"0" +MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"4" +MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1 +MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14 +MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"1" +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,2 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,0 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,1 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs=4,900 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes=4,2147483644 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"" +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7, +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser=4,3 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1 +MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0 +MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0 +MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0 +MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0 +MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0 +MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 +MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0 +MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 +MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0 +MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1 +MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5 +MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback=4,0 +MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,537395200 +MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,537395200 +MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 +MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID=4,0 +MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1 +MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 +MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy=4,1 +MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId=4,1 +MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1 +MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion +MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog,System\CurrentControlSet\Services\CertSvc,System\CurrentControlSet\Services\WINS +MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1 +MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0 +MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 +MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7, +MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 +MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1 +MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1 +MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7, +MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares=7, +MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1 +MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1 +MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel=4,1 +MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0 +MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1 +MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,1 +MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1 +MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 +MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30 +MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1 +MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1 +MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1 +MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1 +[Privilege Rights] +SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544 +SeBackupPrivilege = *S-1-5-32-544 +SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-90-0 +SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544 +SeCreatePagefilePrivilege = *S-1-5-32-544 +SeDebugPrivilege = *S-1-5-32-544 +SeRemoteShutdownPrivilege = *S-1-5-32-544 +SeAuditPrivilege = *S-1-5-19,*S-1-5-20 +SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544 +SeIncreaseBasePriorityPrivilege = *S-1-5-32-544 +SeLoadDriverPrivilege = *S-1-5-32-544 +SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559 +SeServiceLogonRight = *S-1-5-80-0 +SeInteractiveLogonRight = *S-1-5-32-544 +SeSecurityPrivilege = *S-1-5-32-544 +SeSystemEnvironmentPrivilege = *S-1-5-32-544 +SeProfileSingleProcessPrivilege = *S-1-5-32-544 +SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 +SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20 +SeRestorePrivilege = *S-1-5-32-544 +SeShutdownPrivilege = *S-1-5-32-544 +SeTakeOwnershipPrivilege = *S-1-5-32-544 +SeDenyNetworkLogonRight = *S-1-5-32-546 +SeDenyBatchLogonRight = *S-1-5-32-546 +SeDenyServiceLogonRight = *S-1-5-32-546 +SeDenyInteractiveLogonRight = *S-1-5-32-546 +SeUndockPrivilege = *S-1-5-32-544 +SeManageVolumePrivilege = *S-1-5-32-544 +SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555 +SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-568,*S-1-5-6 +SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 +SeIncreaseWorkingSetPrivilege = *S-1-5-32-545,*S-1-5-90-0 +SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544 +SeCreateSymbolicLinkPrivilege = *S-1-5-32-544 +[Version] +signature="$CHICAGO$" +Revision=1 diff --git a/files/localComputer.inf b/files/localComputer.inf deleted file mode 100644 index 5018dee..0000000 --- a/files/localComputer.inf +++ /dev/null @@ -1,50 +0,0 @@ -[Unicode] -Unicode=yes -[Event Audit] -AuditSystemEvents = 3 -AuditLogonEvents = 0 -AuditObjectEvents = 0 -AuditPrivilegeUse = 0 -AuditPolicyChange = 0 -AuditAccountManage = 0 -AuditProcessTracking = 0 -AuditDSAccess = 0 -AuditAccountLogon = 0 -[Privilege Rights] -SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544 -SeBackupPrivilege = *S-1-5-32-544 -SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-90-0 -SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544 -SeCreatePagefilePrivilege = *S-1-5-32-544 -SeDebugPrivilege = *S-1-5-32-544 -SeRemoteShutdownPrivilege = *S-1-5-32-544 -SeAuditPrivilege = *S-1-5-19,*S-1-5-20 -SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544 -SeIncreaseBasePriorityPrivilege = *S-1-5-32-544 -SeLoadDriverPrivilege = *S-1-5-32-544 -SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559 -SeServiceLogonRight = *S-1-5-80-0 -SeInteractiveLogonRight = *S-1-5-32-544 -SeSecurityPrivilege = *S-1-5-32-544 -SeSystemEnvironmentPrivilege = *S-1-5-32-544 -SeProfileSingleProcessPrivilege = *S-1-5-32-544 -SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 -SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20 -SeRestorePrivilege = *S-1-5-32-544 -SeShutdownPrivilege = *S-1-5-32-544 -SeTakeOwnershipPrivilege = *S-1-5-32-544 -SeDenyNetworkLogonRight = *S-1-5-32-546 -SeDenyBatchLogonRight = *S-1-5-32-546 -SeDenyServiceLogonRight = *S-1-5-32-546 -SeDenyInteractiveLogonRight = *S-1-5-32-546 -SeUndockPrivilege = *S-1-5-32-544 -SeManageVolumePrivilege = *S-1-5-32-544 -SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555 -SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 -SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 -SeIncreaseWorkingSetPrivilege = *S-1-5-32-545,*S-1-5-90-0 -SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544 -SeCreateSymbolicLinkPrivilege = *S-1-5-32-544 -[Version] -signature="$CHICAGO$" -Revision=1 diff --git a/metadata.rb b/metadata.rb index d50c696..1750abf 100644 --- a/metadata.rb +++ b/metadata.rb @@ -1,8 +1,7 @@ -name 'base-win2012-hardening' -maintainer 'Joe Gardiner' -maintainer_email 'joe@chef.io' -license 'all_rights' -description 'Hardneing cookbook for Windows 2012 R2' -long_description 'Remediates critical issues identified by the Windows base profile in Chef Compliance.' -version '0.7.1' - +name 'base-win2012-hardening' +maintainer 'Joe Gardiner' +maintainer_email 'joe@chef.io' +license 'all_rights' +description 'Hardneing cookbook for Windows 2012 R2' +long_description 'Remediates critical issues identified by the Windows base profile in Chef Compliance.' +version '0.7.1' diff --git a/recipes/_tobreakout_windows2012r2.rb b/recipes/CIS_2012r2_L1.rb similarity index 86% rename from recipes/_tobreakout_windows2012r2.rb rename to recipes/CIS_2012r2_L1.rb index cd36ba3..8cd4669 100644 --- a/recipes/_tobreakout_windows2012r2.rb +++ b/recipes/CIS_2012r2_L1.rb @@ -1,4 +1,26 @@ -# Registry keys for Windows Server2012 R2 hardening GPO +# +# Cookbook Name:: base-win2012-hardening +# Recipe:: CIS_2012r2_L1 +# +# Copyright (c) 2017 Matt Tunny, All Rights Reserved. +# +# Setting below break test-kitchen but required in production, Also this recipe does not include firewall settings. +# unless ENV['TEST_KITCHEN'] + +# NTLM Hardening -- This settings breaks WinRM +if node['NTLM_Harden'] == true + # System Policys + registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' do + values [{ name: 'LocalAccountTokenFilterPolicy', type: :dword, data: 0 }] # This breaks test-kitchen if enabled + action :create + end + # NTLM Hardening + registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' do + values [{ name: 'RestrictReceivingNTLMTraffic', type: :dword, data: 2 }, + { name: 'RestrictSendingNTLMTraffic', type: :dword, data: 2 }] + action :create + end +end # Winlogon Settings registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' do @@ -16,7 +38,7 @@ registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do values [ # { name: 'fullprivilegeauditing', type: :binary, data: 01 }, Removed due to 31 value being passed through chef, added powershell script below { name: 'AuditBaseObjects', type: :dword, data: 1 }, - { name: 'SCENoApplyLegacyAuditPolicy', type: :dword, data: 1 }, + { name: 'scenoapplylegacyauditpolicy', type: :dword, data: 1 }, { name: 'DisableDomainCreds', type: :dword, data: 1 }, { name: 'LimitBlankPasswordUse', type: :dword, data: 1 }, { name: 'CrashOnAuditFail', type: :dword, data: 0 }, @@ -30,6 +52,7 @@ action :create end +# LSA Setting can't be added via registry_key due to hex key bug' powershell_script 'fullprivilegeauditing' do code <<-EOH Set-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Lsa" -Name fullprivilegeauditing -Value 01 @@ -46,37 +69,33 @@ action :create end -if node['NTLM_Harden'] == false - registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' do - values [{ name: 'NTLMMinServerSec', type: :dword, data: 537_395_200 }, - { name: 'allownullsessionfallback', type: :dword, data: 0 }, - # { name: 'RestrictReceivingNTLMTraffic', type: :dword, data: 2 }, # Hashed out due to breaking WinRM - # { name: 'RestrictSendingNTLMTraffic', type: :dword, data: 2 }, # Hashed out due to breaking WinRM - { name: 'NTLMMinClientSec', type: :dword, data: 537_395_200 }, - { name: 'AuditReceivingNTLMTraffic', type: :dword, data: 2 }] - action :create - end +# NTML Hardening +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' do + values [{ name: 'NTLMMinServerSec', type: :dword, data: 537_395_200 }, + { name: 'allownullsessionfallback', type: :dword, data: 0 }, + { name: 'NTLMMinClientSec', type: :dword, data: 537_395_200 }, + { name: 'AuditReceivingNTLMTraffic', type: :dword, data: 2 }] + action :create end -if node['NTLM_Harden'] == true - registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' do - values [{ name: 'NTLMMinServerSec', type: :dword, data: 537_395_200 }, - { name: 'allownullsessionfallback', type: :dword, data: 0 }, - { name: 'RestrictReceivingNTLMTraffic', type: :dword, data: 2 }, - { name: 'RestrictSendingNTLMTraffic', type: :dword, data: 2 }, - { name: 'NTLMMinClientSec', type: :dword, data: 537_395_200 }, - { name: 'AuditReceivingNTLMTraffic', type: :dword, data: 2 }] - action :create - end - # Setting this on breaks test-kitchen - Federal Information Processing Standards. - registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' do - values [{ - name: 'Enabled', - type: :dword, - data: 0 - }] - action :create - end +# Setting this on breaks test-kitchen - Federal Information Processing Standards. +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' do + values [{ + name: 'Enabled', + type: :dword, + data: 0 + }] + action :create +end + +# RDP Encryption +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' do + values [{ + name: 'MinEncryptionLevel', + type: :dword, + data: 3 + }] + action :create end # Netlogon Parameters @@ -115,7 +134,6 @@ { name: 'NoConnectedUser', type: :dword, data: 1 }, { name: 'PromptOnSecureDesktop', type: :dword, data: 1 }, { name: 'EnableVirtualization', type: :dword, data: 1 }, - { name: 'LocalAccountTokenFilterPolicy', type: :dword, data: 0 }, { name: 'EnableUIADesktopToggle', type: :dword, data: 0 }, { name: 'ConsentPromptBehaviorAdmin', type: :dword, data: 2 }, { name: 'EnableSecureUIAPaths', type: :dword, data: 1 }, @@ -127,8 +145,8 @@ { name: 'EnableInstallerDetection', type: :dword, data: 1 }, { name: 'DisableCAD', type: :dword, data: 0 }, { name: 'ShutdownWithoutLogon', type: :dword, data: 0 }, - { name: 'legalnoticecaption', type: :string, data: 'Company Logon Warning' }, - { name: 'legalnoticetext', type: :string, data: 'Warning text goes here...' }] + { name: 'legalnoticecaption', type: :string, data: 'Legal caption here' }, + { name: 'legalnoticetext', type: :string, data: 'Legal text and harsh warnings etc here.....' }] action :create end @@ -188,7 +206,7 @@ action :create end -# EMET Parameters +# EMET Application Parameters registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults' do values [{ name: 'IE', type: :string, data: '*\Internet Explorer\iexplore.exe' }, { name: '7z', type: :string, data: '*\7-Zip\7z.exe -EAF' }, @@ -450,17 +468,6 @@ action :create end -# Encryption of RDP -registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' do - values [{ - name: 'MinEncryptionLevel', - type: :dword, - data: 3 - }] - action :create - recursive true -end - # Index of encrypted files registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' do values [{ @@ -503,17 +510,49 @@ recursive true end +# Enable WinRM +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service' do + values [ + { name: 'AllowAutoConfig', type: :dword, data: 1 }, + { name: 'IPv4Filter', type: :string, data: '*' }] + action :create +end + +# Powershell ScriptBlock Logging +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' do + values [{ + name: 'EnableScriptBlockLogging', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Powershell Transcription +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' do + values [{ + name: 'EnableTranscripting', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Force Windows Update + directory 'c:/temp' do action :create end # Local Security Policy -cookbook_file 'c:/temp/localComputer.inf' do +cookbook_file 'c:/temp/CIS_2012r2_L1_localComputer.inf' do action :create end # Reg Files for save applications -cookbook_file 'c:/temp/audit_settings.csv' do +cookbook_file 'c:/temp/CIS_2012r2_L1_audit_settings.csv' do action :create end @@ -521,12 +560,12 @@ powershell_script 'import' do cwd 'c:/temp' code <<-EOH - secedit /import /db secedit.sdb /cfg localComputer.inf + secedit /import /db secedit.sdb /cfg CIS_2012r2_L1_localComputer.inf secedit /configure /db secedit.sdb - auditpol /restore /File:audit_settings.csv + auditpol /restore /File:CIS_2012r2_L1_audit_settings.csv gpupdate /force - del "localComputer.inf" -force -ErrorAction SilentlyContinue + del "CIS_2012r2_L1_localComputer.inf" -force -ErrorAction SilentlyContinue del "secedit.sdb" -force -ErrorAction SilentlyContinue - del "audit_settings.csv" -force -ErrorAction SilentlyContinue + del "CIS_2012r2_L1_audit_settings.csv" -force -ErrorAction SilentlyContinue EOH end diff --git a/test/integration/default/default_spec.rb b/test/integration/default/default_spec.rb index 70f010c..dcecf90 100644 --- a/test/integration/default/default_spec.rb +++ b/test/integration/default/default_spec.rb @@ -1,7 +1,9 @@ -# # encoding: utf-8 - -# Inspec test for recipe +# encoding: utf-8 +# Inspec test for CIS_2012r2_L1 +# +# Copyright (c) 2017 Matt Tunny, All Rights Reserved. +# # The Inspec reference, with examples and extensive documentation, can be # found at http://inspec.io/docs/reference/resources/ @@ -18,7 +20,7 @@ describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa') do its('FullPrivilegeAuditing') { should eq [01] } its('AuditBaseObjects') { should eq 1 } - its('SCENoApplyLegacyAuditPolicy') { should eq 1 } + its('scenoapplylegacyauditpolicy') { should eq 1 } its('DisableDomainCreds') { should eq 1 } its('LimitBlankPasswordUse') { should eq 1 } its('CrashOnAuditFail') { should eq 0 } @@ -88,7 +90,7 @@ its('EnableVirtualization') { should eq 1 } its('EnableUIADesktopToggle') { should eq 0 } its('ConsentPromptBehaviorAdmin') { should eq 2 } - its('LocalAccountTokenFilterPolicy') { should eq 0 } + # its('LocalAccountTokenFilterPolicy') { should eq 0 } Removed due to breaking Test-Kitchen its('EnableSecureUIAPaths') { should eq 1 } its('FilterAdministratorToken') { should eq 1 } its('MaxDevicePasswordFailedAttempts') { should eq 10 } @@ -98,9 +100,9 @@ its('EnableInstallerDetection') { should eq 1 } its('DisableCAD') { should eq 0 } its('ShutdownWithoutLogon') { should eq 0 } - its('legalnoticecaption') { should eq 'Company Logon Warning' } + its('legalnoticecaption') { should eq 'Legal caption here' } its('legalnoticetext') do - should eq 'Warning text goes here...' + should eq 'Legal text and harsh warnings etc here.....' end end @@ -337,10 +339,26 @@ its('DontSearchWindowsUpdate') { should eq 1 } end +# PowerShell Settings +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging') do + its('EnableScriptBlockLogging') { should eq 0 } +end +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription') do + its('EnableTranscripting') { should eq 0 } +end + # Local Policy Script script = <<-EOH secedit /export /cfg c:\\temp\\tempexport.inf /quiet Get-content C:\\temp\\tempexport.inf | findstr /B ` +/C:"MinimumPasswordAge = 1" ` +/C:"MaximumPasswordAge = 42" ` +/C:"MinimumPasswordLength = 14" ` +/C:"PasswordComplexity = 1" ` +/C:"PasswordHistorySize = 24" ` +/C:"LockoutBadCount = 10" ` +/C:"ResetLockoutCount = 15" ` +/C:"LockoutDuration = 15" ` /C:"SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544" ` /C:"SeServiceLogonRight = *S-1-5-80-0" ` /C:"SeInteractiveLogonRight = *S-1-5-32-544" ` @@ -361,7 +379,15 @@ # Local Policy Tester describe powershell(script) do its('stdout') do - should eq "SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544\r + should eq "MinimumPasswordAge = 1\r +MaximumPasswordAge = 42\r +MinimumPasswordLength = 14\r +PasswordComplexity = 1\r +PasswordHistorySize = 24\r +LockoutBadCount = 10\r +ResetLockoutCount = 15\r +LockoutDuration = 15\r +SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544\r SeServiceLogonRight = *S-1-5-80-0\r SeInteractiveLogonRight = *S-1-5-32-544\r SeSecurityPrivilege = *S-1-5-32-544\r From 55e017758f8eab02ebce970363f644ea58cf1a69 Mon Sep 17 00:00:00 2001 From: "matthew.tunny" Date: Mon, 6 Mar 2017 21:44:26 +1000 Subject: [PATCH 3/3] removed reg keys already applied with chef --- files/CIS_2012r2_L1_localComputer.inf | 72 --------------------------- 1 file changed, 72 deletions(-) diff --git a/files/CIS_2012r2_L1_localComputer.inf b/files/CIS_2012r2_L1_localComputer.inf index 3399328..b7ab6ff 100644 --- a/files/CIS_2012r2_L1_localComputer.inf +++ b/files/CIS_2012r2_L1_localComputer.inf @@ -27,78 +27,6 @@ AuditAccountManage = 0 AuditProcessTracking = 0 AuditDSAccess = 0 AuditAccountLogon = 0 -[Registry Values] -MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 -MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 -MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,"0" -MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"4" -MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1 -MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14 -MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"1" -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,2 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,0 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,1 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs=4,900 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes=4,2147483644 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"" -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7, -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser=4,3 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1 -MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0 -MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0 -MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0 -MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0 -MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0 -MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 -MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0 -MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 -MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0 -MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1 -MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5 -MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback=4,0 -MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,537395200 -MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,537395200 -MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 -MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID=4,0 -MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1 -MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 -MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy=4,1 -MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId=4,1 -MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1 -MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion -MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog,System\CurrentControlSet\Services\CertSvc,System\CurrentControlSet\Services\WINS -MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1 -MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0 -MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 -MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7, -MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 -MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1 -MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1 -MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7, -MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares=7, -MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1 -MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1 -MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel=4,1 -MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0 -MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1 -MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,1 -MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1 -MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 -MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30 -MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1 -MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1 -MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1 -MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1 [Privilege Rights] SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544 SeBackupPrivilege = *S-1-5-32-544