diff --git a/.fixtures.yml b/.fixtures.yml new file mode 100644 index 0000000..3ecb608 --- /dev/null +++ b/.fixtures.yml @@ -0,0 +1,3 @@ +fixtures: + symlinks: + advanced_security_policy: '#{source_dir}' diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..56efb9c --- /dev/null +++ b/.gitignore @@ -0,0 +1,22 @@ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ +/convert_report.txt +.DS_Store diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..27780ad --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,69 @@ +--- +stages: + - test_2.4.1 + - test_2.1.9 + +before_script: + - bundle -v + - rm Gemfile.lock || true + - gem update --system + - gem update bundler + - gem --version + - bundle -v + - bundle install --without system_tests + +rubocop-2.4.1: + stage: test_2.4.1 + image: ruby:2.4.1 + script: + - bundle exec rake rubocop + +syntax-2.4.1: + stage: test_2.4.1 + image: ruby:2.4.1 + script: + - bundle exec rake syntax lint + +metadata-2.4.1: + stage: test_2.4.1 + image: ruby:2.4.1 + script: + - bundle exec rake metadata_lint + +rspec-puppet-2.4.1: + stage: test_2.4.1 + image: ruby:2.4.1 + variables: + PUPPET_GEM_VERSION: ~> 4.0 + CHECK: spec + script: + - bundle update + - bundle exec rake $CHECK + +rubocop-2.1.9: + stage: test_2.1.9 + image: ruby:2.1.9 + script: + - bundle exec rake rubocop + +syntax-2.1.9: + stage: test_2.1.9 + image: ruby:2.1.9 + script: + - bundle exec rake syntax lint + +metadata-2.1.9: + stage: test_2.1.9 + image: ruby:2.1.9 + script: + - bundle exec rake metadata_lint + +rspec-puppet-2.1.9: + stage: test_2.1.9 + image: ruby:2.1.9 + variables: + PUPPET_GEM_VERSION: ~> 4.0 + CHECK: spec + script: + - bundle update + - bundle exec rake $CHECK diff --git a/.pdkignore b/.pdkignore new file mode 100644 index 0000000..56efb9c --- /dev/null +++ b/.pdkignore @@ -0,0 +1,22 @@ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ +/convert_report.txt +.DS_Store diff --git a/.pmtignore b/.pmtignore new file mode 100644 index 0000000..0a87075 --- /dev/null +++ b/.pmtignore @@ -0,0 +1,21 @@ +docs/ +pkg/ +Gemfile.lock +Gemfile.local +vendor/ +.vendor/ +spec/fixtures/manifests/ +spec/fixtures/modules/ +.vagrant/ +.bundle/ +.ruby-version +coverage/ +log/ +.idea/ +.dependencies/ +.librarian/ +Puppetfile.lock +*.iml +.*.sw? +.yardoc/ +junit/ diff --git a/.rspec b/.rspec new file mode 100644 index 0000000..624a7f7 --- /dev/null +++ b/.rspec @@ -0,0 +1,2 @@ +--color +--format documentation diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000..8989e18 --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,4 @@ +--- +inherit_gem: + kpn-style: + - ruby-2.4.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..ea8543e --- /dev/null +++ b/.travis.yml @@ -0,0 +1,50 @@ +--- +sudo: false +dist: trusty +language: ruby +cache: bundler +before_install: + - bundle -v + - rm Gemfile.lock || true + - gem update --system + - gem update bundler + - gem --version + - bundle -v +script: + - 'bundle exec rake $CHECK' +bundler_args: --without system_tests +rvm: + - 2.4.1 + - 2.1.9 +env: + - PUPPET_GEM_VERSION="~> 4.0" CHECK=spec + - PUPPET_GEM_VERSION="~> 5.0" CHECK=spec +matrix: + fast_finish: true + include: + - + env: CHECK=rubocop + - + env: CHECK="syntax lint" + - + env: CHECK=metadata_lint + - + env: CHECK=spec + - + env: PUPPET_GEM_VERSION="~> 4.0" CHECK=spec DEPLOY_TO_FORGE=yes + rvm: 2.1.9 +branches: + only: + - master + - /^v\d/ +notifications: + email: false +deploy: + provider: puppetforge + user: kpn + password: + secure: "g76nk0Uv500X4HeM3P7r8Medeu6hW7F8hCLdpydb9iAX1/nKNTvVvwnwVXYUcEdBxKAVLPZPCn5C47cJQszhKJpIa9q5KXkNIuDAxnooPdn2d8Hstr34c/qDWLGa/GJ6qMxEfAaCPgO86ZcKksxvywy/a7/ixM3aCd3gbEIA/y9ajJ+Emh4zd/IU37JtfiZBq8gaaAUEbm2D4ZoiZSyFkq7wHSJQLZRHfLjEYrlRUOgIagxt8qEoi4LWK+x+RZxcIzepxMwA171OtviJX6DhCBli1bcq7vyGJ+Pc475O9jt3bsefe20515bdv0WkE4d+jLzrmq24hlEiLbrnJu3l+n9aNJNab5V/TJQ7TTEd3nR0uMpQRMacNFvp3pfo1eCnN+9U/M8NIPMIBocJkf1i7XJwhQE6pxgA8z2E42bfY6EUAun41ZYsvDu4rTfiPZii3pZIRR/mEcFHB9EIbfLYbsg4JLgUPXfk3acOwN7qXygWMV7ME++bzUeNYEqcqakPIw1PKv9sSQ7d/r7sId+7dQ5fs7Iy+YEFFeZDGV02TC9VbFMoie5mBRb7DT1Rh9BmQ82cqW1QOspjCrzzBUi4O5EDYiqxRaLMdUejnSYgwoZHR5prj+ijA2/ja1p/2pRhQxsweSULmk82SL0ctv4xuRgEzi+ezCNAFTLLpGIz8fY=" + on: + tags: true + all_branches: true + condition: "$DEPLOY_TO_FORGE = yes" diff --git a/.yardopts b/.yardopts new file mode 100644 index 0000000..be472fd --- /dev/null +++ b/.yardopts @@ -0,0 +1,2 @@ +--markup markdown +--output-dir docs/ diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..69b5684 --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,29 @@ +2018-04-04 Release 2.1.1 +- release to puppet forge + +2018-01-23 Release 2.1.0 +- allows configurable result for enabled and disabled +- policy_setting has changed to policy_value (same as local_security_policy) + +2017-12-19 Release 2.0.1 +- unknown (domain) policies already set on the system are ignored +- trying to set an unknown/invalid policy using puppet will still result in an error + +2017-12-04 Release 2.0.0 +- makes advanced security policy settings ensurable +- policy names are looked up in a list + +2017-11-28 Release 1.0.4 +- makes the provider case-insensitive + +2017-10-11 Release 1.0.3 +- change permission on lgpo.exe + +2017-07-06 Release 1.0.2 +- changed file persmissions because of missing administrator user + +2017-07-06 Release 1.0.1 +- add file lgpo.exe creation + +2017-07-06 Release 1.0.0 +- initial commit diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..bafacde --- /dev/null +++ b/Gemfile @@ -0,0 +1,19 @@ +source ENV['GEM_SOURCE'] || 'https://rubygems.org' + +puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3'] +gem 'facter', '>= 1.7.0' +gem 'kpn-style' +gem 'metadata-json-lint' +gem 'puppet', puppetversion +gem 'puppet-lint', '>= 1.0.0' +gem 'puppetlabs_spec_helper', '>= 1.0.0' +gem 'rspec-puppet' + +# rspec must be v2 for ruby 1.8.7 +if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9' + gem 'rake', '~> 10.0' + gem 'rspec', '~> 2.0' +else + # rubocop requires ruby >= 1.9 + gem 'rubocop' +end diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..d5dd936 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,3 @@ +@Library('puppetpipeline@master') _ + +module( peVersions: ['pe4','pe5'], rspec: ['Windows'], platforms: ['windows-2008r2-x64-pe4','windows-2012r2-x64-pe4','windows-2016-x64-pe4']) diff --git a/README.md b/README.md new file mode 100644 index 0000000..5c80c0f --- /dev/null +++ b/README.md @@ -0,0 +1,119 @@ +# advanced_security_policy + +#### Table of Contents + +1. [Module Description](#module-description) +1. [Setup - The basics of getting started with advanced_security](#setup) + * [Setup Requirements](#setup-requirements) + * [What advanced_security_policy affects](#what-advanced_security_policy-affects) + * [Beginning with advanced_security_policy](#beginning-with-advanced_security_policy) +1. [Usage - Configuration options and additional functionality](#usage) +1. [Reference - An under-the-hood peek at what the module is doing and how](#reference) +1. [Limitations - OS compatibility, etc.](#limitations) +1. [Development - Guide for contributing to the module](#development) + +## Overview +This module sets and enforces the advanced security policies for windows. +We used Paul Cannons Local Security Policy as a 'blueprint' to read the policies from a template. + +## Module Description +This module uses LGPO.exe (v2.2) to configure the advanced security policies on Windows. +LGPO.exe is a command-line utility that is designed to help automate management of +Local Group Policy. It can import and apply settings from Registry Policy (Registry.pol) +files, security templates, Advanced Auditing backup files, as well as from formatted +“LGPO text” files. + +## Setup + +### Setup Requirements + +This module requires: +- ADMX and ADML files with the policy settings to be set (in `C:\Windows\PolicyDefinitions`) +- LGPO.exe needs to be installed in `C:\Windows\System32` (Add the following code) + ```puppet + include advanced_security_policy + ``` + +### What advanced_security_policy affects +- Advanced security policies. +- `C:\Windows\System32\GroupPolicy\Machine\Registry.pol` + +### Beginning with advanced_security_policy +To start using advanced_security_policy, +simply include the module and add the defined type statements in your profile. +Then configure the policies you want to set. (for example in hiera) + +## Usage + +### Parameters + +#### policy(resource) name (required) +Type: 'String' +Default: '$title' +Values: Any valid advanced security subcategory +Description: The policy name matches the name in the policy editor + +#### ensure +Type: 'String' +Default: 'present' +Values: 'present' or 'absent' +Description: When a policy is set, ensure will be 'present'. If a policy is to be set as 'not configured' then ensure must be set to 'absent'. +#### policy_value +Type: 'String' +Values: 'enabled', 'disabled' or a value +Description: This is the value to be set for the policy. This can be 'enabled', 'disabled' or a value to be set. + +### Examples + +#### Example: Setting multiple security policies +```puppet + advanced_security_policy {'Turn off Autoplay': + policy_value => '255', + } + + advanced_security_policy {Configuration of wireless settings using Windows Connect Now': + policy_value => 'disabled' + } + + advanced_security_policy {'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)': + policy_value => 'enabled', + } + + advanced_security_policy {'Security: Specify the maximum log file size (KB)': + ensure => 'absent', + } +``` + +## Reference + +### Defined Types + +- advanced_security_policy + +### Provider +- securitypolicy + + +## Limitations +This is where you list OS compatibility, version compatibility, etc. + +This module works on: + +- Windows 2008 R2 +- Windows 2012 R2 +- Windows 2016 + +## Development + +You can contribute by submitting issues, providing feedback and joining the discussions. + +Go to: `https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy` + +If you want to fix bugs, add new features etc: +- Fork it +- Create a feature branch ( git checkout -b my-new-feature ) +- Apply your changes and update rspec tests +- Run rspec tests ( bundle exec rake spec ) +- Commit your changes ( git commit -am 'Added some feature' ) +- Push to the branch ( git push origin my-new-feature ) +- Create new Pull Request diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..60c2cbb --- /dev/null +++ b/Rakefile @@ -0,0 +1,26 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'metadata-json-lint/rake_task' + +# Must clear as it will not override the existing puppet-lint rake task since we require to import for +# the PuppetLint::RakeTask +Rake::Task[:lint].clear +# Relative is not able to be set within the context of PuppetLint::RakeTask +PuppetLint.configuration.relative = true +PuppetLint::RakeTask.new(:lint) do |config| + config.fail_on_warnings = true + config.disable_checks = %w[ + 80chars + class_inherits_from_params_class + class_parameter_defaults + documentation + ] + config.ignore_paths = ['vendor/**/*.pp', 'spec/**/*.pp', 'pkg/**/*.pp'] +end + +desc 'Run syntax, lint, and spec tests.' +task test: [ + :syntax, + :lint, + :metadata_lint, + :spec, +] diff --git a/appveyor.yml b/appveyor.yml new file mode 100644 index 0000000..5fd5e89 --- /dev/null +++ b/appveyor.yml @@ -0,0 +1,57 @@ +version: 1.1.x.{build} +skip_commits: + message: /^\(?doc\)?.*/ +clone_depth: 10 +init: + - SET + - 'mkdir C:\ProgramData\PuppetLabs\code && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0' +environment: + matrix: + - + RUBY_VERSION: 24-x64 + CHECK: syntax lint + - + RUBY_VERSION: 24-x64 + CHECK: metadata_lint + - + RUBY_VERSION: 24-x64 + CHECK: rubocop + - + PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VERSION: 21 + CHECK: spec + - + PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VERSION: 21-x64 + CHECK: spec + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24 + CHECK: spec + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24-x64 + CHECK: spec +matrix: + fast_finish: true +install: + - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH% + - bundle install --jobs 4 --retry 2 --without system_tests + - type Gemfile.lock +build: off +test_script: + - bundle exec puppet -V + - ruby -v + - gem -v + - bundle -v + - bundle exec rake %CHECK% +notifications: + - provider: Email + to: + - nobody@nowhere.com + on_build_success: false + on_build_failure: false + on_build_status_changed: false diff --git a/files/LGPO.exe b/files/LGPO.exe new file mode 100644 index 0000000..df0047c Binary files /dev/null and b/files/LGPO.exe differ diff --git a/lib/puppet/provider/advanced_security_policy/lgpo.rb b/lib/puppet/provider/advanced_security_policy/lgpo.rb new file mode 100644 index 0000000..bb3b09a --- /dev/null +++ b/lib/puppet/provider/advanced_security_policy/lgpo.rb @@ -0,0 +1,130 @@ +# frozen_string_literal: true + +# Provider + +require 'puppet_x/asp/security_policy' + +Puppet::Type.type(:advanced_security_policy).provide(:lgpo) do + TEMP_FILE = 'C:\\windows\\temp\\lgpotemp.txt' + REGISTRY_FILE = 'C:\\Windows\\System32\\GroupPolicy\\Machine\\Registry.pol' + + confine osfamily: :windows + defaultfor osfamily: :windows + + commands securitypol: 'lgpo.exe' + + mk_resource_methods + + def initialize(value = {}) + super(value) + @property_flush = {} + end + + def flush + policy_hash = AdvancedSecurityPolicy.find_mapping_from_policy_desc(resource[:name]) + + reg_type = policy_hash[:reg_type] + + if policy_hash[:data_type] == 'boolean' + policy_value = (resource[:policy_value] == 'enabled') ? policy_hash[:enabled_value] : policy_hash[:disabled_value] + elsif !resource[:policy_value].nil? + policy_value = resource[:policy_value].downcase + end + + configuration = policy_hash[:configuration] + registry_key = policy_hash[:registry_key] + value_name = policy_hash[:value_name] + + action = (resource[:action] == 'DELETE') ? 'DELETE' : "#{reg_type}:#{policy_value}" + + self.class.write_setting_to_tempfile(configuration, registry_key, value_name, action) + securitypol('/t', TEMP_FILE) + + @property_hash = resource.to_hash + end + + def self.write_setting_to_tempfile(configuration, registry_key, value_name, action) + out_file = File.new(TEMP_FILE, 'w') + out_file.puts(configuration.to_s) + out_file.puts(registry_key.to_s) + out_file.puts(value_name.to_s) + out_file.puts(action.to_s) + out_file.close + end + + def self.registry_file_exists + File.file? REGISTRY_FILE + end + + def exists? + # does the policy setting exist? + @property_hash[:ensure] == :present + end + + def create + # create the policy setting + resource[:ensure] = :present + end + + def destroy + # reset the policy setting + @property_hash[:ensure] = :absent + @resource[:action] = 'DELETE' + end + + def self.configuration_is_computer(action, policy_values) + if ['DELETE', 'SZ:'].include?(action) + ensure_value = :absent + policy_setting = action + else + ensure_value = :present + policy_setting = (policy_values[:data_type] == 'boolean') ? policy_datatype_boolean(action, policy_values[:enabled_value]) : action.split(':')[1].downcase + end + + [ensure_value, policy_setting] + end + + def self.policy_datatype_boolean(action, enabled_value) + (action.split(':')[1] == enabled_value) ? 'enabled' : 'disabled' + end + + def self.instances + instances = [] + + if registry_file_exists + categories = securitypol('/parse', '/q', '/m', REGISTRY_FILE) + line_array = categories.split("\n").drop(4) + entries = line_array.each_slice(5) + + entries.map do |entry_array| + configuration = entry_array[0] + + next unless configuration == 'Computer' + registry_key = entry_array[1] + value_name = entry_array[2] + action = entry_array[3].upcase + registry_value = "#{registry_key}\\#{value_name}" + policy_desc, policy_values = AdvancedSecurityPolicy.find_mapping_from_policy_name(registry_value) + + next if policy_desc.nil? + ensure_value, policy_setting = configuration_is_computer(action, policy_values) + policy_hash = { + name: policy_desc, + ensure: ensure_value, + policy_value: policy_setting, + } + instances << new(policy_hash) + end + end + instances + end + + def self.prefetch(resources) + policies = instances + resources.keys.each do |name| + if (provider = policies.find { |policy| policy.name == name }) + resources[name].provider = provider + end + end + end +end diff --git a/lib/puppet/type/advanced_security_policy.rb b/lib/puppet/type/advanced_security_policy.rb new file mode 100644 index 0000000..5659dbd --- /dev/null +++ b/lib/puppet/type/advanced_security_policy.rb @@ -0,0 +1,54 @@ +# frozen_string_literal: true + +# Type +Puppet::Type.newtype(:advanced_security_policy) do + desc 'advanced_security_policy type for windows' + + ensurable + + newparam(:policy_key, namevar: true) do + desc 'The Advanced Security Setting name. What you see in the GUI.' + validate do |value| + raise 'Advanced Security Setting name should be a string' unless value.is_a? String + end + end + + newproperty(:configuration) do + desc 'The configuration specifies whether the setting is for Computer Configuration, User Configuration, or an MLGPO User Configuration' + end + + newproperty(:registry_key) do + desc 'The registry Key specifies the name of a registry key' + end + + newproperty(:value_name) do + desc 'The value_name is the name of the registry value to modify' + end + + newproperty(:reg_type) do + desc 'The reg_type is the registry type of the registry value to modify' + end + + newproperty(:policy_value) do + desc 'The policy_value is setting of the registry value to modify' + validate do |value| + raise 'Value Name should be a String' unless value.is_a? String + end + end + + newproperty(:data_type) do + desc 'The data_type specifies if the policy setting will be used as a boolean or a string value' + end + + newproperty(:enabled_value) do + desc 'The enabled_value specifies the result of setting enabled. Enabled would expect to result in 1 but may also be 0' + end + + newproperty(:disabled_value) do + desc 'The enabled_value specifies the result of setting enabled. Enabled would expect to result in 1 but may also be 0' + end + + newproperty(:action) do + desc 'Action specifies what action to take' + end +end diff --git a/lib/puppet_x/asp/security_policy.rb b/lib/puppet_x/asp/security_policy.rb new file mode 100644 index 0000000..6a77c3c --- /dev/null +++ b/lib/puppet_x/asp/security_policy.rb @@ -0,0 +1,1710 @@ +# frozen_string_literal: true + +require 'puppet/provider' + +# clase AdvancedSecurityPolicy +class AdvancedSecurityPolicy + # returns the key and hash value given the policy name + def self.find_mapping_from_policy_name(name) + key, value = asp_mapping.find do |_key, hash| + hash[:name].casecmp(name).zero? + end + [key, value] + end + + # returns the key and hash value given the policy desc + def self.find_mapping_from_policy_desc(desc) + name = desc.downcase + _key, value = asp_mapping.find do |key, _hash| + key.downcase == name + end + unless value + raise KeyError, "#{desc} is not a valid policy" + end + value + end + + def self.asp_mapping + @asp_mapping ||= { + 'Prevent enabling lock screen camera' => { + name: 'Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Personalization', + value_name: 'NoLockScreenCamera', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent enabling lock screen slide show' => { + name: 'Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Personalization', + value_name: 'NoLockScreenSlideshow', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Input Personalization' => { + name: 'Software\Policies\Microsoft\InputPersonalization\AllowInputPersonalization', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\InputPersonalization', + value_name: 'AllowInputPersonalization', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' => { + name: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon', + value_name: 'AutoAdminLogon', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' => { + name: 'System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip6\Parameters', + value_name: 'DisableIPSourceRouting', + reg_type: 'DWORD', + data_type: 'string', + }, + 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' => { + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'DisableIPSourceRouting', + reg_type: 'DWORD', + data_type: 'string', + disabled_value: '0', + }, + 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' => { + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'EnableICMPRedirect', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' => { + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'KeepAliveTime', + reg_type: 'DWORD', + data_type: 'string', + }, + 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' => { + name: 'System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Netbt\Parameters', + value_name: 'NoNameReleaseOnDemand', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' => { + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'PerformRouterDiscovery', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' => { + name: 'System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Control\Session Manager', + value_name: 'SafeDllSearchMode', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' => { + name: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon', + value_name: 'ScreenSaverGracePeriod', + reg_type: 'SZ', + data_type: 'string', + }, + 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' => { + name: 'System\CurrentControlSet\Services\Tcpip6\Parameters\TcpMaxDataRetransmissions', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip6\Parameters', + value_name: 'TcpMaxDataRetransmissions', + reg_type: 'DWORD', + data_type: 'string', + }, + 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' => { + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'TcpMaxDataRetransmissions', + reg_type: 'DWORD', + data_type: 'string', + }, + 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' => { + name: 'System\CurrentControlSet\Services\Eventlog\Security\WarningLevel', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Eventlog\Security', + value_name: 'WarningLevel', + reg_type: 'DWORD', + data_type: 'string', + }, + 'NetBIOS node type' => { + name: 'System\CurrentControlSet\Services\Netbt\Parameters\NodeType', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Netbt\Parameters', + value_name: 'NodeType', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Turn off multicast name resolution' => { + name: 'Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\DNSClient', + value_name: 'EnableMulticast', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Enable Font Providers' => { + name: 'Software\Policies\Microsoft\Windows\System\EnableFontProviders', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'EnableFontProviders', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Enable insecure guest logons' => { + name: 'Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LanmanWorkstation', + value_name: 'AllowInsecureGuestAuth', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)' => { + name: 'Software\Policies\Microsoft\Windows\LLTD\EnableLLTDIO', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'EnableLLTDIO', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)' => { + name: 'Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOndomain', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'AllowLLTDIOOndomain', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)' => { + name: 'Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnPublicNet', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'AllowLLTDIOOnPublicNet', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)' => { + name: 'Software\Policies\Microsoft\Windows\LLTD\ProhibitLLTDIOOnPrivateNet', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'ProhibitLLTDIOOnPrivateNet', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on Responder (RSPNDR) driver (EnableRspndr)' => { + name: 'Software\Policies\Microsoft\Windows\LLTD\EnableRspndr', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'EnableRspndr', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on Responder (RSPNDR) driver (AllowRspndrOndomain)' => { + name: 'Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOndomain', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'AllowRspndrOndomain', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)' => { + name: 'Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnPublicNet', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'AllowRspndrOnPublicNet', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)' => { + name: 'Software\Policies\Microsoft\Windows\LLTD\ProhibitRspndrOnPrivateNet', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'ProhibitRspndrOnPrivateNet', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Microsoft Peer-to-Peer Networking Services' => { + name: 'Software\Policies\Microsoft\Peernet\Disabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Peernet', + value_name: 'Disabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prohibit installation and configuration of Network Bridge on your DNS domain network' => { + name: 'Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', + value_name: 'NC_AllowNetBridge_NLA', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Require domain users to elevate when setting a network`s location' => { + name: 'Software\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', + value_name: 'NC_StdDomainUserSetLocation', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prohibit use of Internet Connection Sharing on your DNS domain network' => { + name: 'Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', + value_name: 'NC_ShowSharedAccessUI', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Configuration of wireless settings using Windows Connect Now (EnableRegistrars)' => { + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\EnableRegistrars', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'EnableRegistrars', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)' => { + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableUPnPRegistrar', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'DisableUPnPRegistrar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)' => { + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableInBand802DOT11Registrar', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'DisableInBand802DOT11Registrar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)' => { + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableFlashConfigRegistrar', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'DisableFlashConfigRegistrar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)' => { + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableWPDRegistrar', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'DisableWPDRegistrar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prohibit access of the Windows Connect Now wizards' => { + name: 'Software\Policies\Microsoft\Windows\WCN\UI\DisableWcnUi', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\UI', + value_name: 'DisableWcnUi', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' => { + name: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fMinimizeConnections', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy', + value_name: 'fMinimizeConnections', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prohibit connection to non-domain networks when connected to domain authenticated network' => { + name: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fBlockNonDomain', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy', + value_name: 'fBlockNonDomain', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Apply UAC restrictions to local accounts on network logons' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'LocalAccountTokenFilterPolicy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'WDigest Authentication' => { + name: 'System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Control\SecurityProviders\WDigest', + value_name: 'UseLogonCredential', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Include command line in process creation events' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit', + value_name: 'ProcessCreationIncludeCmdLine_Enabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow remote access to the Plug and Play interface' => { + name: 'Software\Policies\Microsoft\Windows\DeviceInstall\Settings\AllowRemoteRPC', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DeviceInstall\Settings', + value_name: 'AllowRemoteRPC', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Boot-Start Driver Initialization Policy' => { + name: 'System\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Policies\EarlyLaunch', + value_name: 'DriverLoadPolicy', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Configure registry policy processing: Do not apply during periodic background processing' => { + name: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}', + value_name: 'NoBackgroundPolicy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Configure registry policy processing: Process even if the Group Policy objects have not changed' => { + name: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}', + value_name: 'NoGPOListChanges', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Turn off background refresh of Group Policy' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'DisableBkGndGroupPolicy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Continue experiences on this device' => { + name: 'Software\Policies\Microsoft\Windows\System\EnableCdp', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'EnableCdp', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off access to the Store' => { + name: 'Software\Policies\Microsoft\Windows\Explorer\NoUseStoreOpenWith', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Explorer', + value_name: 'NoUseStoreOpenWith', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off downloading of print drivers over HTTP' => { + name: 'Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Printers', + value_name: 'DisableWebPnPDownload', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off handwriting personalization data sharing' => { + name: 'Software\Policies\Microsoft\Windows\TabletPC\PreventHandwritingDataSharing', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\TabletPC', + value_name: 'PreventHandwritingDataSharing', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off handwriting recognition error reporting' => { + name: 'Software\Policies\Microsoft\Windows\HandwritingErrorReports\PreventHandwritingErrorReports', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\HandwritingErrorReports', + value_name: 'PreventHandwritingErrorReports', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' => { + name: 'Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Internet Connection Wizard', + value_name: 'ExitOnMSICW', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Internet download for Web publishing and online ordering wizards' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoWebServices', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Internet File Association service' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoInternetOpenWith', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off printing over HTTP' => { + name: 'Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Printers', + value_name: 'DisableHTTPPrinting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Registration if URL connection is referring to Microsoft.com' => { + name: 'Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Registration Wizard Control', + value_name: 'NoRegistration', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Search Companion content file updates' => { + name: 'Software\Policies\Microsoft\SearchCompanion\DisableContentFileUpdates', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\SearchCompanion', + value_name: 'DisableContentFileUpdates', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off the "Order Prints" picture task' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoOnlinePrintsWizard', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off the "Publish to Web" task for files and folders' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoPublishingWizard', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off the Windows Messenger Customer Experience Improvement Program' => { + name: 'Software\Policies\Microsoft\Messenger\Client\CEIP', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Messenger\Client', + value_name: 'CEIP', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '2', + disabled_value: '1', + }, + 'Turn off Windows Customer Experience Improvement Program' => { + name: 'Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\SQMClient\Windows', + value_name: 'CEIPEnable', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Turn off Windows Error Reporting' => { + name: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\Disabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Error Reporting', + value_name: 'Disabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Support device authentication using certificate (DevicePKInitEnabled)' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters\DevicePKInitEnabled', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters', + value_name: 'DevicePKInitEnabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Support device authentication using certificate (DevicePKInitBehavior)' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters\DevicePKInitBehavior', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters', + value_name: 'DevicePKInitBehavior', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Disallow copying of user input methods to the system account for sign-in' => { + name: 'Software\Policies\Microsoft\Control Panel\International\BlockUserInputMethodsForSignIn', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Control Panel\International', + value_name: 'BlockUserInputMethodsForSignIn', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Always use classic logon' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\LogonType', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'LogonType', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Do not display network selection UI' => { + name: 'Software\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'DontDisplayNetworkSelectionUI', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Do not enumerate connected users on domain-joined computers' => { + name: 'Software\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'DontEnumerateConnectedUsers', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Enumerate local users on domain-joined computers' => { + name: 'Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'EnumerateLocalUsers', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off app notifications on the lock screen' => { + name: 'Software\Policies\Microsoft\Windows\System\DisableLockScreenAppNotifications', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'DisableLockScreenAppNotifications', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on convenience PIN sign-in' => { + name: 'Software\Policies\Microsoft\Windows\System\AllowDomainPINLogon', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'AllowDomainPINLogon', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Block user from showing account details on sign-in' => { + name: 'Software\Policies\Microsoft\Windows\System\BlockUserFromShowingAccountDetailsOnSignin', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'BlockUserFromShowingAccountDetailsOnSignin', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Untrusted Font Blocking' => { + name: 'Software\Policies\Microsoft\Windows NT\MitigationOptions\MitigationOptions_FontBocking', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\MitigationOptions', + value_name: 'MitigationOptions_FontBocking', + reg_type: 'SZ', + data_type: 'string', + }, + 'Allow network connectivity during connected-standby (on battery)' => { + name: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9\DCSettingIndex', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9', + value_name: 'DCSettingIndex', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow network connectivity during connected-standby (plugged in)' => { + name: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9\ACSettingIndex', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9', + value_name: 'ACSettingIndex', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Require a password when a computer wakes (on battery)' => { + name: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51', + value_name: 'DCSettingIndex', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Require a password when a computer wakes (plugged in)' => { + name: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51', + value_name: 'ACSettingIndex', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure Offer Remote Assistance' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fAllowUnsolicited', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure Solicited Remote Assistance' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fAllowToGetHelp', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Enable RPC Endpoint Mapper Client Authentication' => { + name: 'Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Rpc', + value_name: 'EnableAuthEpResolution', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Restrict Unauthenticated RPC clients' => { + name: 'Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Rpc', + value_name: 'RestrictRemoteClients', + reg_type: 'DWORD', + data_type: 'string', + disabled_value: '0', + }, + 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' => { + name: 'Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\DisableQueryRemoteServer', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy', + value_name: 'DisableQueryRemoteServer', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Enable/Disable PerfTrack' => { + name: 'Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ScenarioExecutionEnabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}', + value_name: 'ScenarioExecutionEnabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off the advertising ID' => { + name: 'Software\Policies\Microsoft\Windows\AdvertisingInfo\DisabledByGroupPolicy', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\AdvertisingInfo', + value_name: 'DisabledByGroupPolicy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Enable Windows NTP Client' => { + name: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\Enabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpClient', + value_name: 'Enabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Enable Windows NTP Server' => { + name: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpServer\Enabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpServer', + value_name: 'Enabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow a Windows app to share application data between users' => { + name: 'Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager\AllowSharedLocalAppData', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager', + value_name: 'AllowSharedLocalAppData', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Let Windows apps *' => { + name: 'Software\Policies\Microsoft\Windows\AppPrivacy\LetAppsAccessAccountInfo', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\AppPrivacy', + value_name: 'LetAppsAccessAccountInfo', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Allow Microsoft accounts to be optional' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'MSAOptional', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\BlockHostedAppAccessWinRT', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'BlockHostedAppAccessWinRT', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Disallow Autoplay for non-volume devices' => { + name: 'Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Explorer', + value_name: 'NoAutoplayfornonVolume', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Set the default behavior for AutoRun' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoAutorun', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Turn off Autoplay' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoDriveTypeAutoRun', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Use enhanced anti-spoofing when available' => { + name: 'Software\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Biometrics\FacialFeatures', + value_name: 'EnhancedAntiSpoofing', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Use of Camera' => { + name: 'Software\Policies\Microsoft\Camera\AllowCamera', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Camera', + value_name: 'AllowCamera', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Microsoft consumer experiences' => { + name: 'Software\Policies\Microsoft\Windows\CloudContent\DisableWindowsConsumerFeatures', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\CloudContent', + value_name: 'DisableWindowsConsumerFeatures', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Require pin for pairing' => { + name: 'Software\Policies\Microsoft\Windows\Connect\RequirePinForPairing', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Connect', + value_name: 'RequirePinForPairing', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Do not display the password reveal button' => { + name: 'Software\Policies\Microsoft\Windows\CredUI\DisablePasswordReveal', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\CredUI', + value_name: 'DisablePasswordReveal', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Enumerate administrator accounts on elevation' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\CredUI', + value_name: 'EnumerateAdministrators', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Telemetry' => { + name: 'Software\Policies\Microsoft\Windows\DataCollection\AllowTelemetry', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', + value_name: 'AllowTelemetry', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Disable pre-release features or settings' => { + name: 'Software\Policies\Microsoft\Windows\PreviewBuilds\EnableConfigFlighting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\PreviewBuilds', + value_name: 'EnableConfigFlighting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Do not show feedback notifications' => { + name: 'Software\Policies\Microsoft\Windows\DataCollection\DoNotShowFeedbackNotifications', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', + value_name: 'DoNotShowFeedbackNotifications', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Toggle user control over Insider builds' => { + name: 'Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\PreviewBuilds', + value_name: 'AllowBuildPreview', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off desktop gadgets' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar', + value_name: 'TurnOffSidebar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn Off user-installed desktop gadgets' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGadgets', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar', + value_name: 'TurnOffUserInstalledGadgets', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Application: Control Event Log behavior when the log file reaches its maximum size' => { + name: 'Software\Policies\Microsoft\Windows\EventLog\Application\Retention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Application', + value_name: 'Retention', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Application: Specify the maximum log file size (KB)' => { + name: 'Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Application', + value_name: 'MaxSize', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Security: Control Event Log behavior when the log file reaches its maximum size' => { + name: 'Software\Policies\Microsoft\Windows\EventLog\Security\Retention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Security', + value_name: 'Retention', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Security: Specify the maximum log file size (KB)' => { + name: 'Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Security', + value_name: 'MaxSize', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Setup: Control Event Log behavior when the log file reaches its maximum size' => { + name: 'Software\Policies\Microsoft\Windows\EventLog\Setup\Retention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Setup', + value_name: 'Retention', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Setup: Specify the maximum log file size (KB)' => { + name: 'Software\Policies\Microsoft\Windows\EventLog\Setup\MaxSize', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Setup', + value_name: 'MaxSize', + reg_type: 'DWORD', + data_type: 'string', + }, + 'System: Control Event Log behavior when the log file reaches its maximum size' => { + name: 'Software\Policies\Microsoft\Windows\EventLog\System\Retention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\System', + value_name: 'Retention', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'System: Specify the maximum log file size (KB)' => { + name: 'Software\Policies\Microsoft\Windows\EventLog\System\MaxSize', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\System', + value_name: 'MaxSize', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Configure Windows SmartScreen' => { + name: 'Software\Policies\Microsoft\Windows\System\EnableSmartScreen', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'EnableSmartScreen', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Turn off Data Execution Prevention for Explorer' => { + name: 'Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Explorer', + value_name: 'NoDataExecutionPrevention', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off heap termination on corruption' => { + name: 'Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Explorer', + value_name: 'NoHeapTerminationOnCorruption', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off shell protocol protected mode' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'PreXPSP2ShellProtocolBehavior', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off location' => { + name: 'Software\Policies\Microsoft\Windows\LocationAndSensors\DisableLocation', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LocationAndSensors', + value_name: 'DisableLocation', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Extensions' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\Extensions\ExtensionsEnabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Extensions', + value_name: 'ExtensionsEnabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow InPrivate Browsing' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\AllowInPrivate', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'AllowInPrivate', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure cookies' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\Cookies', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'Cookies', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Configure Pop-up Blocker' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\AllowPopups', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'AllowPopups', + reg_type: 'SZ', + data_type: 'string', + }, + 'Configure search suggestions in Address bar' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\SearchScopes\ShowSearchSuggestionsGlobal', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\SearchScopes', + value_name: 'ShowSearchSuggestionsGlobal', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure Password Manager' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\FormSuggest Passwords', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'FormSuggest Passwords', + reg_type: 'SZ', + data_type: 'string', + }, + 'Configure SmartScreen Filter' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter\EnabledV9', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', + value_name: 'EnabledV9', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent access to the about: flags page in Microsoft Edge' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\PreventAccessToAboutFlagsInMicrosoftEdge', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'PreventAccessToAboutFlagsInMicrosoftEdge', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent bypassing SmartScreen prompts for files' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter\PreventOverrideAppRepUnknown', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', + value_name: 'PreventOverrideAppRepUnknown', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent bypassing SmartScreen prompts for sites' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter\PreventOverride', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', + value_name: 'PreventOverride', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent using Localhost IP address for WebRTC' => { + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\HideLocalHostIP', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'HideLocalHostIP', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent the usage of OneDrive for file storage (DisableFileSync)' => { + name: 'Software\Policies\Microsoft\Windows\Skydrive\DisableFileSync', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Skydrive', + value_name: 'DisableFileSync', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent the usage of OneDrive for file storage (DisableFileSyncNGSC)' => { + name: 'Software\Policies\Microsoft\Windows\OneDrive\DisableFileSyncNGSC', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\OneDrive', + value_name: 'DisableFileSyncNGSC', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + }, + 'Do not allow passwords to be saved' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'DisablePasswordSaving', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fSingleSessionPerUser', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Do not allow COM port redirection' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCcm', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fDisableCcm', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Do not allow LPT port redirection' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableLPT', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fDisableLPT', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Do not allow supported Plug and Play device redirection' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisablePNPRedir', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fDisablePNPRedir', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Always prompt for password upon connection' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fPromptForPassword', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Require secure RPC communication' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fEncryptRPCTraffic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Set client connection encryption level' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'MinEncryptionLevel', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Set time limit for active but idle Remote Desktop Services sessions' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'MaxIdleTime', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Set time limit for disconnected sessions' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'MaxDisconnectionTime', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Do not delete temp folders upon exit' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'DeleteTempDirsOnExit', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Do not use temporary folders per session' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'PerSessionTempDir', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Prevent downloading of enclosures' => { + name: 'Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Internet Explorer\Feeds', + value_name: 'DisableEnclosureDownload', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Cortana' => { + name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowCortana', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'AllowCortana', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Set what information is shared in Search' => { + name: 'Software\Policies\Microsoft\Windows\Windows Search\ConnectedSearchPrivacy', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'ConnectedSearchPrivacy', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Allow indexing of encrypted files' => { + name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'AllowIndexingEncryptedStoresOrItems', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow search and Cortana to use location' => { + name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowSearchToUseLocation', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'AllowSearchToUseLocation', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Cortana above lock screen' => { + name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowCortanaAboveLock', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'AllowCortanaAboveLock', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off KMS Client Online AVS Validation' => { + name: 'Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform\NoGenTicket', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform', + value_name: 'NoGenTicket', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Disable all apps from Windows Store' => { + name: 'Software\Policies\Microsoft\WindowsStore\DisableStoreApps', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsStore', + value_name: 'DisableStoreApps', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Turn off Automatic Download and Install of updates' => { + name: 'Software\Policies\Microsoft\WindowsStore\AutoDownload', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsStore', + value_name: 'AutoDownload', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Turn off the offer to update to the latest version of Windows' => { + name: 'Software\Policies\Microsoft\WindowsStore\DisableOSUpgrade', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsStore', + value_name: 'DisableOSUpgrade', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Turn off the Store application' => { + name: 'Software\Policies\Microsoft\WindowsStore\RemoveWindowsStore', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsStore', + value_name: 'RemoveWindowsStore', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Join Microsoft MAPS' => { + name: 'Software\Policies\Microsoft\Windows Defender\Spynet\SpynetReporting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender\Spynet', + value_name: 'SpynetReporting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure Watson events' => { + name: 'Software\Policies\Microsoft\Windows Defender\Reporting\DisableGenericRePorts', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender\Reporting', + value_name: 'DisableGenericRePorts', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Configure Default consent' => { + name: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\Consent', + value_name: 'DefaultConsent', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Automatically send memory dumps for OS-generated error reports' => { + name: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\AutoApproveOSDumps', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Error Reporting', + value_name: 'AutoApproveOSDumps', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow suggested apps in Windows Ink Workspace' => { + name: 'Software\Policies\Microsoft\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsInkWorkspace', + value_name: 'AllowSuggestedAppsInWindowsInkWorkspace', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Windows Ink Workspace' => { + name: 'Software\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsInkWorkspace', + value_name: 'AllowWindowsInkWorkspace', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Allow user control over installs' => { + name: 'Software\Policies\Microsoft\Windows\Installer\EnableUserControl', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Installer', + value_name: 'EnableUserControl', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Always install with elevated privileges' => { + name: 'Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Installer', + value_name: 'AlwaysInstallElevated', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent Internet Explorer security prompt for Windows Installer scripts' => { + name: 'Software\Policies\Microsoft\Windows\Installer\SafeForScripting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Installer', + value_name: 'SafeForScripting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on PowerShell Script Block Logging' => { + name: 'Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging', + value_name: 'EnableScriptBlockLogging', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on PowerShell Transcription' => { + name: 'Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\PowerShell\Transcription', + value_name: 'EnableTranscripting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Basic authentication (Client)' => { + name: 'Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Client', + value_name: 'AllowBasic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow unencrypted traffic (Client)' => { + name: 'Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Client', + value_name: 'AllowUnencryptedTraffic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Disallow Digest authentication' => { + name: 'Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Client', + value_name: 'AllowDigest', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Allow Basic authentication (Service)' => { + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', + value_name: 'AllowBasic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow remote server management through WinRM' => { + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\AllowAutoConfig', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', + value_name: 'AllowAutoConfig', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow unencrypted traffic (Service)' => { + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', + value_name: 'AllowUnencryptedTraffic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Disallow WinRM from storing RunAs credentials' => { + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', + value_name: 'DisableRunAs', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Remote Shell Access' => { + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service\WinRS', + value_name: 'AllowRemoteShellAccess', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + } + end +end diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..a137451 --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,10 @@ +# class advanced_security_policy +class advanced_security_policy { + file { 'C:/Windows/System32/LGPO.exe': + ensure => file, + source => 'puppet:///modules/advanced_security_policy/LGPO.exe', + owner => 'Administrators', + group => 'Administrators', + mode => '0770', + } +} diff --git a/metadata.json b/metadata.json new file mode 100644 index 0000000..076eaad --- /dev/null +++ b/metadata.json @@ -0,0 +1,33 @@ +{ + "name": "kpn-advanced_security_policy", + "version": "2.1.1", + "author": "kpn", + "summary": "This module sets Advanced Security Policy settings on Windows.", + "license": "Apache-2.0", + "source": "https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy", + "project_page": "https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy", + "issues_url": "https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy/issues", + "dependencies": [], + "operatingsystem_support": [ + { + "operatingsystem": "windows", + "operatingsystemrelease": [ + "2008 R2", + "2012 R2", + "2016" + ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 4.7.0 < 6.0.0" + } + ], + "kpn_quality_label": "A", + "kpn_module_owner": "Product Owner Platforms", + "kpn_module_support": "Puppet Development Team", + "pdk-version": "1.4.1", + "template-url": "file:///opt/puppetlabs/pdk/share/cache/pdk-templates.git", + "template-ref": "1.4.1-0-g52adbbb" +} diff --git a/spec/acceptance/acceptance_spec.rb b/spec/acceptance/acceptance_spec.rb new file mode 100644 index 0000000..9b338b7 --- /dev/null +++ b/spec/acceptance/acceptance_spec.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'advanced_security_policy', unless: UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do + context 'with default parameters' do + it 'works idempotently with no errors' do + pp = <<-ASP + include advanced_security_policy + + advanced_security_policy { 'Application: Specify the maximum log file size (KB)': + policy_value => '65000', + } + ASP + + # Run it twice and test for idempotency + apply_manifest(pp, catch_failures: true) + apply_manifest(pp, catch_changes: true) + end + + describe command('C:\Windows\System32\LGPO.exe /parse /q /m \'C:\Windows\System32\GroupPolicy\Machine\Registry.pol\'') do + its(:stdout) { is_expected.to match %r{Software\\Policies\\Microsoft\\Windows\\EventLog\\Application} } + its(:stdout) { is_expected.to match %r{MaxSize} } + its(:stdout) { is_expected.to match %r{DWORD:65000} } + end + + describe file('C:/windows/temp/lgpotemp.txt') do + its(:content) { is_expected.to match %r{^Software\\Policies\\Microsoft\\Windows\\EventLog\\Application$} } + its(:content) { is_expected.to match %r{^MaxSize$} } + its(:content) { is_expected.to match %r{^DWORD:65000$} } + end + end +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 0000000..384a50a --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +require 'puppetlabs_spec_helper/module_spec_helper' + +RSpec.configure { |c| c.fail_fast = true } + +at_exit { print "Resource coverage report is N/A for custom provider type\n\n" } diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb new file mode 100644 index 0000000..670ab16 --- /dev/null +++ b/spec/spec_helper_acceptance.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +require 'beaker-rspec/spec_helper' +require 'beaker-rspec/helpers/serverspec' +require 'beaker/puppet_install_helper' + +UNSUPPORTED_PLATFORMS = ['RedHat'].freeze + +unless ENV['RS_PROVISION'] == 'no' || ENV['BEAKER_provision'] == 'no' + # Install Puppet Enterprise Agent + run_puppet_install_helper +end + +RSpec.configure do |c| + # Project root + proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) + + # Readable test descriptions + c.formatter = :documentation + + # Configure all nodes in nodeset + c.before :suite do + puppet_module_install(source: proj_root, module_name: 'advanced_security_policy') + end +end diff --git a/spec/unit/puppet/provider/advanced_security_policy_spec.rb b/spec/unit/puppet/provider/advanced_security_policy_spec.rb new file mode 100644 index 0000000..6cf5196 --- /dev/null +++ b/spec/unit/puppet/provider/advanced_security_policy_spec.rb @@ -0,0 +1,99 @@ +# frozen_string_literal: true + +require 'spec_helper' + +provider_resource = Puppet::Type.type(:advanced_security_policy) +provider_class = provider_resource.provider(:lgpo) + +describe provider_class do + subject { provider_class } + + let(:resource) do + provider_resource.new( + name: 'Prohibit installation and configuration of Network Bridge on your DNS domain network', + ensure: 'present', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', + value_name: 'NC_AllowNetBridge_NLA', + policy_value: '1', + ) + end + + let(:provider) { described_class.new(resource) } + + describe 'provider' do + it 'is an instance of Puppet::Type::Advanced_security_policy::ProviderLgpo' do + expect(provider).to be_an_instance_of Puppet::Type::Advanced_security_policy::ProviderLgpo + end + + it 'responds to function calls' do + expect(provider).to respond_to(:action) + expect(provider).to respond_to(:flush) + expect(provider.class).to respond_to(:instances) + expect(provider.class).to respond_to(:prefetch) + end + + describe 'instances' do + it 'returns policy properties' do + policies = '; ---------------------------------------------------------------------- +; PARSING Computer POLICY +; Source file: C:\\Windows\\System32\\GroupPolicy\\Machine\\Registry.pol + +Computer +Software\\Policies\\Microsoft\\Windows\\EventLog\\Application +MaxSize +DWORD:32768' + provider.class.stubs(securitypol: policies) + provider.class.stubs(registry_file_exists: true) + provider.class.expects(:new) + .with( + name: 'Application: Specify the maximum log file size (KB)', + ensure: :present, + policy_value: '32768', + ) + provider.class.instances + end + end + + describe 'flush' do + before :each do + provider.class.stubs(:write_setting_to_tempfile) + .with('Computer', 'Software\\Policies\\Microsoft\\Windows\\Network Connections', 'NC_AllowNetBridge_NLA', 'DWORD:1') + + provider.instance_variable_set( + :@property_flush, + configuration: 'Computer', + registry_key: 'Software\\Policies\\Microsoft\\Windows\\Network Connections', + value_name: 'NC_AllowNetBridge_NLA', + action: 'DWORD:1', + ) + end + + describe 'securitypol should be called' do + it 'calls securitypol in order to set policies' do + provider.class.stubs(:security_policy) + provider.expects(:securitypol) + .with('/t', 'C:\\windows\\temp\\lgpotemp.txt') + provider.flush + end + end + end + + describe 'self.' do + describe 'prefetch' do + context 'with valid resource' do + it 'stores prov into resource.provider' do + prov_mock = mock + prov_mock.expects(:name).returns('foo') + resource_mock = mock + resource_mock.expects(:provider=) + resources = {} + resources['foo'] = resource_mock + provider.class.stubs(instances: [prov_mock]) + provider.class.prefetch(resources) + end + end + end + end + end +end diff --git a/spec/unit/puppet/type/advanced_security_policy_spec.rb b/spec/unit/puppet/type/advanced_security_policy_spec.rb new file mode 100644 index 0000000..f420ec5 --- /dev/null +++ b/spec/unit/puppet/type/advanced_security_policy_spec.rb @@ -0,0 +1,42 @@ +# frozen_string_literal: true + +require 'spec_helper' + +type_class = Puppet::Type.type(:advanced_security_policy) + +EXAMPLE = { + name: 'Application: Specify the maximum log file size (KB)', + action: 'DWORD:0001', +}.freeze + +describe type_class do + let :params do + [ + :policy_key, + ] + end + + let :properties do + [ + :action, + ] + end + + it 'has expected properties' do + properties.each do |property| + expect(type_class.properties.map(&:name)).to be_include(property) + end + end + + it 'has expected parameters' do + params.each do |param| + expect(type_class.parameters).to be_include(param) + end + end + + it 'requires a policy_key' do + expect { + type_class.new({}) + }.to raise_error(Puppet::Error, 'Title or name must be provided') + end +end