local_security_policy
Windows Local Security Policy management. Forked from cannonps/local_security_policy
Version information
released Feb 28th 2023
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
- Puppet >= 6.0.0 < 8.0.0
Start using this module
Add this module to your Puppetfile:
mod 'ayohrling-local_security_policy', '1.1.1'Learn more about managing modules with a PuppetfileDocumentation
ayohrling/local_security_policy — version 1.1.1 Feb 28th 2023
Puppet Local Security Policy
created by Paul Cannon at email paulscannon at gmail dot com
forked and updated by Adam Yohrling at email aryohrling at gmail dot com
Local_security_policy features
Configure local security policy (LSP) for Windows servers. LSP is key to a baseline configuration of the following security features:
Account Policy
- Password Policy
- Account Lockout Policy
Local Policy
- Audit Policy
- User Rights Assignment
- Security Options
This module uses types and providers to list, update, and validate settings.
Use
The title and name of the resources is exact match of what is in Local Security Policy GUI. If you are uncertain of the setting name and values just use puppet resource local_security_policy to pipe them all into a file and make adjustments as necessary.
The block will look like this
local_security_policy { 'Audit account logon events': <- Title / Name
ensure => present, <- Always present
policy_setting => "AuditAccountLogon", <- The secedit file key. Informational purposes only, not for use in manifest definitions
policy_type => "Event Audit", <- The secedit file section, Informational purposes only, not for use in manifest definitions
policy_value => 'Success,Failure', <- Values
}
Listing all settings
Show all local_security_policy resources available on server
puppet resource local_security_policy
Show a single local_security_policy resources available on server
puppet resource local_security_policy 'Maximum password age'
More examples
Example Password Policy
local_security_policy { 'Maximum password age':
ensure => present,
policy_value => '90',
}
Example Audit Policy
local_security_policy { 'Audit account logon events':
ensure => present,
policy_value => 'Success,Failure',
}
Example User Rights Policy
local_security_policy { 'Allow log on locally':
ensure => present,
policy_value => 'Administrators',
}
Example Security Settings
local_security_policy { 'System cryptography: Use FIPS compiant algorithms for encryption, hashing, and signing':
ensure => present,
policy_value => 1 ,
}
Full list of settings available
Access Credential Manager as a trusted caller
Access this computer from the network
Account lockout duration
Account lockout threshold
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Accounts: Require Login to Change Password
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Audit account logon events
Audit account management
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit directory service access
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit: Shut down system immediately if unable to log security audits
Audit system events
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Devices: Allowed to format and eject removable media
Devices: Allow undock without having to log on
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
EnableAdminAccount
Enable computer and user accounts to be trusted for delegation
Enforce password history
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Interactive logon: Don't display last signed-in
Interactive logon: Don't display username at sign-in
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require Windows Hello for Business or smart card
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Maximum password age
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Minimum password age
Minimum password length
Minimum password length audit
Modify an object label
Modify firmware environment values
Network access: Allow anonymous SID/name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub-paths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Restrict clients allowed to make remote calls to SAM
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: All Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use online identities
Network security: Configure encryption types allowed for Kerberos
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Obtain an impersonation token for another user in the same session
Password must meet complexity requirements
Perform volume maintenance tasks
Profile single process
Profile system performance
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Relax minimum password length limits
Remove computer from docking station
Replace a process level token
Reset account lockout counter after
Restore files and directories
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
Shut down the system
Store passwords using reversible encryption
Synchronize directory service data
System cryptography: Force strong key protection for user keys stored on the computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Take ownership of files or other objects
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
How this works
The local_security_policy module works by using secedit /export to export a list of currently set policies. The module will then
take the user defined resources and compare the values against the exported policies. If the values on the system do not match
the defined resource, the module will run secedit /configure to configure the policy on the system. If the policy already
exists on the system no change will be made.
In order to make setting these polices easier, this module uses the policy description from the Local Security Policy
management console and translates that into the appropriate entries in the file used by secedit /configure. Similarly, the module is
able to translate user and group names into the SID and name values that are used by User Rights Assignment policies.
New policy maps require values for the key, name, and policy_type. Policies that require user and group conversion to SID values require data_type: :principal to perform the translation. Policies that require the value to be enclosed in double-quotes require data_type: :quoted_string. Policies that modify registry values also require a value for reg_type.
The following reg_type values are supported:
REG_NONE 0
REG_SZ 1
REG_EXPAND_SZ 2
REG_BINARY 3
REG_DWORD 4
REG_DWORD_LITTLE_ENDIAN 4
REG_DWORD_BIG_ENDIAN 5
REG_LINK 6
REG_MULTI_SZ 7
REG_RESOURCE_LIST 8
REG_FULL_RESOURCE_DESCRIPTOR 9
REG_RESOURCE_REQUIREMENTS_LIST 10
REG_QWORD 11
REG_QWORD_LITTLE_ENDIAN 11
Here are examples of working policy definitions from lib\puppet_x\lsp\security_policy.rb:
'Accounts: Rename administrator account' => {
name: 'NewAdministratorName',
policy_type: 'System Access',
data_type: :quoted_string
},
'Recovery console: Allow floppy copy and access to all drives and all folders' => {
name: 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand',
reg_type: '4',
policy_type: 'Registry Values',
},
'Allow log on locally' => {
name: 'SeInteractiveLogonRight',
policy_type: 'Privilege Rights',
data_type: :principal,
},
In the first example above, the key Accounts: Rename administrator account is what the user will define as the 'name' in the resource. In the policy definitions included in the module, this is the name shown in the Local Security Policy management console. It is recommended to make this something descriptive and easy to remember, or a description pulled from the Operating System.
The name 'NewAdministratorName' is the key used in the import file used by secedit /configure.
The policy_type 'System Access' is the section name in the import file used by secedit /configure.
The data_type ':quoted_string' indicates that this value must be enclosed in double-quotes in the import file used by secedit /configure.
To modify these settings, you would define the following resources in your Puppet configuration:
local_security_policy { 'Accounts: Rename administrator account':
ensure => present,
policy_value => 'MyAdminAccount',
}
local_security_policy { 'Recovery console: Allow floppy copy and access to all drives and all folders':
ensure => present,
policy_value => '0',
}
local_security_policy { 'Allow log on locally':
ensure => present,
policy_value => 'Administrators',
}
Assuming all of the desired values are different than what is currently set in the OS, this would result in the following INI file, which would be imported by secedit /configure:
[Unicode]
Unicode=yes
[System Access]
NewAdministratorName = "MyAdminAccount"
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
[Privilege Rights]
SeInteractiveLogonRight = *S-1-5-32-544
[Version]
signature="$CHICAGO$"
Revision=1
Commands Used
TODO: Future release
- Handle unsupported policies
- Validate users in active directory are being handled.
Reference
Table of Contents
Classes
local_security_policy: Configure local security policy for Windows servers.
Resource types
local_security_policy: Puppet type that models the local security policy
Classes
local_security_policy
This class can be used to specify local_security_policy resources in Hiera. For example,
local_security_policy::policies:
'Audit account logon events':
ensure: 'present'
policy_setting: 'AuditAccountLogon'
policy_type: 'Event Audit'
policy_value: 'Success,Failure'
Examples
include local_security_policy
Parameters
The following parameters are available in the local_security_policy class.
policies
Data type: Hash
Hash of local_security_policy resources
Default value: {}
Resource types
local_security_policy
Puppet type that models the local security policy
Properties
The following properties are available in the local_security_policy type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
policy_type
Valid values: System Access, Event Audit, Privilege Rights, Registry Values, nil, ''
Local Security Policy Type. Section of the config INF the setting is in.
policy_setting
Local Security Policy Machine Name. What OS knows it by.
policy_value
Local Security Policy Setting Value
Parameters
The following parameters are available in the local_security_policy type.
name
namevar
Local Security Setting Name. What you see it the GUI.
[1.1.1] - 2023-01-03
- Fixed SID order idempotency - #124
[1.1.0] - 2022-10-24
- Add Windows 2022 support and new policies - #125
[1.0.0] - 2022-02-09
Added
- Add Puppet7 Support - #115
Changed
- Fix idempotency of local groups and users in Privilege Rights settings - #113
- Moved travis-ci tests to GitHub Actions - #119
[0.8.1] - 2020-11-24
Changed
- Fixed 'SDDL values are not idempotent' - #108
[0.8.0] - 2020-11-10
Added
- Newly introduced settings for Windows 2016 and 2019
[0.7.2] - 2020-09-11
Added
- Support for local or domain group lookup
- Support for policy specification via hiera
[0.7.1] - 2020-07-08
Changed
- invalid metadata tags removed
[0.7.0] - 2020-07-08
Added
- PDK support
- Acceptance tests
- Registry value validation
Changed
- Fixed issues with intermittent failure of quoted values
- Resolved 'validate method error'
- Resolved munging error on domain controllers
[0.6.3] - naeem98
- Added 'Accounts: Administrator account status' setting for CIS 2.3.1.1
[0.6.2]
- Bug fix for 'No auditing' case issue - Jordan Wesolowski - #26
- Fix issue where WMIC was timing out or crashing on systems joined to a domain - Thomas Linkin - #28
[0.6.1]
- Updates for typos in settings and official policy names - Gerben Welter - #19
- Support old-style file-loading - Jordan Wesolowski - #24
[0.6.0] - Adam Yohrling
- Added new Network security settings, Typo Fixes, Idempotency - #18
[0.5.2] - Ryan Russell-Yates
- Updated all ruby files to UTF-8 forced encoding.
[0.4.1] - Adam Yohrling
- Fixed Issue 3 - undefined method error for 'Network access: Let Everyone permissions apply to anonymous users' setting
[0.4.0] - Adam Yohrling
- Added support for ensuring Privilege Rights settings as absent
[0.3.2] - Adam Yohrling
- Added support for currently unset values
- Removed duplicate and invalid 'initalize' method
- Cleaned out .DS_Store files that were in the repository
- Moved references for external methods to self.class in flush method and removed duplicate data
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.