{"id":20156280,"url":"https://github.com/dsccommunity/xsystemsecurity","last_synced_at":"2025-04-09T22:23:38.937Z","repository":{"id":30468277,"uuid":"34022263","full_name":"dsccommunity/xSystemSecurity","owner":"dsccommunity","description":"THIS MODULE HAS BEEN DEPRECATED. See the README.md for more information.","archived":false,"fork":false,"pushed_at":"2020-09-30T13:05:37.000Z","size":167,"stargazers_count":16,"open_issues_count":0,"forks_count":19,"subscribers_count":20,"default_branch":"master","last_synced_at":"2024-05-08T22:11:15.321Z","etag":null,"topics":["dsc","dsc-resources","filesystem","powershell","uac"],"latest_commit_sha":null,"homepage":"https://github.com/dsccommunity/xSystemSecurity/blob/master/README.md","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dsccommunity.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-04-15T22:43:08.000Z","updated_at":"2022-12-25T07:29:19.000Z","dependencies_parsed_at":"2022-09-07T15:50:32.973Z","dependency_job_id":null,"html_url":"https://github.com/dsccommunity/xSystemSecurity","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsccommunity%2FxSystemSecurity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsccommunity%2FxSystemSecurity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsccommunity%2FxSystemSecurity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsccommunity%2FxSystemSecurity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dsccommunity","download_url":"https://codeload.github.com/dsccommunity/xSystemSecurity/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248120948,"owners_count":21051055,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dsc","dsc-resources","filesystem","powershell","uac"],"created_at":"2024-11-13T23:38:15.961Z","updated_at":"2025-04-09T22:23:38.910Z","avatar_url":"https://github.com/dsccommunity.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# **THIS MODULE HAS BEEN DEPRECATED**\r\n\r\nIt will no longer be released. Please use the following modules instead:\r\n\r\n- The resource `xIEEsc` have been replaced by `IEEnhancedSecurityConfiguration`\r\n  in the module [ComputerManagementDsc](https://github.com/dsccommunity/ComputerManagementDsc).\r\n- The resource `xUac` have been replaced by `UserAccountControl`\r\n  in the module [ComputerManagementDsc](https://github.com/dsccommunity/ComputerManagementDsc).\r\n- The resource `xFileSystemAccessRule` have been replaced by `FileSystemAccessRule`\r\n  in the module [FileSystemDsc](https://github.com/dsccommunity/FileSystemDsc).\r\n\r\n## xSystemSecurity\r\n\r\n[![Build Status](https://dev.azure.com/dsccommunity/xSystemSecurity/_apis/build/status/dsccommunity.xSystemSecurity?branchName=master)](https://dev.azure.com/dsccommunity/xSystemSecurity/_build/latest?definitionId=17\u0026branchName=master)\r\n![Azure DevOps coverage (branch)](https://img.shields.io/azure-devops/coverage/dsccommunity/xSystemSecurity/17/master)\r\n[![Azure DevOps tests](https://img.shields.io/azure-devops/tests/dsccommunity/xSystemSecurity/17/master)](https://dsccommunity.visualstudio.com/xSystemSecurity/_test/analytics?definitionId=17\u0026contextType=build)\r\n[![PowerShell Gallery (with prereleases)](https://img.shields.io/powershellgallery/vpre/xSystemSecurity?label=xSystemSecurity%20Preview)](https://www.powershellgallery.com/packages/xSystemSecurity/)\r\n[![PowerShell Gallery](https://img.shields.io/powershellgallery/v/xSystemSecurity?label=xSystemSecurity)](https://www.powershellgallery.com/packages/xSystemSecurity/)\r\n\r\nThis module contains DSC resources for configuring and managing computer security.\r\n\r\n## Code of Conduct\r\n\r\nThis project has adopted this [Code of Conduct](CODE_OF_CONDUCT.md).\r\n\r\n## Releases\r\n\r\nFor each merge to the branch `master` a preview release will be\r\ndeployed to [PowerShell Gallery](https://www.powershellgallery.com/).\r\nPeriodically a release version tag will be pushed which will deploy a\r\nfull release to [PowerShell Gallery](https://www.powershellgallery.com/).\r\n\r\n## Contributing\r\n\r\nPlease check out common DSC Community [contributing guidelines](https://dsccommunity.org/guidelines/contributing).\r\n\r\n## Resources\r\n\r\n* **xUAC** handles how and when the User Account Control Windows Prompt\r\n  shows up or doesn't show up.\r\n* **xIEEsc** enables or disables IE Enhanced Security Configuration.\r\n* **xFileSystemAccessRule** modifies the rights of file system objects.\r\n\r\n### xUAC\r\n\r\n* **Setting**: The desired User Account Control Setting:\r\n  { AlwaysNotify | NotifyChanges | NotifyChangesWithoutDimming | NeverNotify |\r\n  NeverNotifyAndDisableAll }\r\n  * **AlwaysNotify**: You will be notified before programs make changes to your\r\n    computer or to Windows settings that require the permissions of an administrator.\r\n    When you're notified, your desktop will be dimmed, and you must either approve\r\n    or deny the request in the UAC dialog box before you can do anything else on\r\n    your computer. The dimming of your desktop is referred to as the secure desktop\r\n    because other programs can't run while it's dimmed. This is the most secure\r\n    setting. When you are notified, you should carefully read the contents of each\r\n    dialog box before allowing changes to be made to your computer.\r\n  * **NotifyChanges**: You will be notified before programs make changes to your\r\n    computer that require the permissions of an administrator. You will not be notified\r\n    if you try to make changes to Windows settings that require the permissions of\r\n    an administrator. You will be notified if a program outside of Windows tries\r\n    to make changes to a Windows setting. It's usually safe to allow changes to be\r\n    made to Windows settings without you being notified. However, certain programs\r\n    that come with Windows can have commands or data passed to them, and malicious\r\n    software can take advantage of this by using these programs to install files\r\n    or change settings on your computer. You should always be careful about which\r\n    programs you allow to run on your computer.\r\n  * **NotifyChangesWithoutDimming**: You will be notified before programs make\r\n    changes to your computer that require the permissions of an administrator.\r\n    You will not be notified if you try to make changes to Windows settings that\r\n    require the permissions of an administrator. You will be notified if a program\r\n    outside of Windows tries to make changes to a Windows setting. This setting is\r\n    the same as \"NotifyChanges\" but you are not notified on the secure desktop.\r\n    Because the UAC dialog box isn't on the secure desktop with this setting, other\r\n    programs might be able to interfere with the dialog's visual appearance. This\r\n    is a small security risk if you already have a malicious program running on\r\n    your computer.\r\n  * **NeverNotify**: You will not be notified before any changes are made to your\r\n    computer. If you are logged on as an administrator, programs can make changes\r\n    to your computer without you knowing about it. If you are logged on as a\r\n    standard user, any changes that require the permissions of an administrator will\r\n    automatically be denied. If you select this setting, you will need to restart\r\n    the computer to complete the process of turning off UAC. Once UAC is off, people\r\n    that log on as administrator will always have the permissions of an administrator.\r\n    This is the least secure setting. When you set UAC to never notify, you open\r\n    up your computer to potential security risks. If you set UAC to never notify,\r\n    you should be careful about which programs you run, because they will have the\r\n    same access to the computer as you do. This includes reading and making changes\r\n    to protected system areas, your personal data, saved files, and anything else\r\n    stored on the computer. Programs will also be able to communicate and transfer\r\n    information to and from anything your computer connects with, including the\r\n    Internet.\r\n  * **NeverNotifyAndDisableAll**: You will not be notified before any changes are\r\n    made to your computer. If you are logged on as an administrator, programs can\r\n    make changes to your computer without you knowing about it. If you are logged\r\n    on as a standard user, any changes that require the permissions of an administrator\r\n    will automatically be denied. If you select this setting, you will need to\r\n    restart the computer to complete the process of turning off UAC. Once UAC is\r\n    off, people that log on as administrator will always have the permissions of\r\n    an administrator. This is the least secure setting same as \"NeverNotify\", but\r\n    in addition EnableLUA registry key is disabled. EnableLUA controls the behavior\r\n    of all UAC policy settings for the computer. If you change this policy setting,\r\n    you must restart your computer. We do not recommend using this setting, but it\r\n    can be selected for systems that use programs that are not certified for\r\n    Windows 8, Windows Server 2012, Windows 7 or Windows Server 2008 R2 because\r\n    they do not support UAC.\r\n\r\n### xIEEsc\r\n\r\n* **UserRole**: Enable or Disable ESC for **Administrators** or **Users**.\r\n* **IsEnabled**: Determines if ESC is **Enabled** or **Disabled**.\r\n\r\n### xFileSystemAccessRule\r\n\r\n* **`[String]` Path** _(Key)_: The path to the item that should have\r\n  permissions set\r\n* **`[String]` Identity** _(Key)_: The identity to set permissions for\r\n* **`[String[]]` Rights** _(Write)_: The permissions to include in this\r\n  rule. Optional if Ensure is set to value 'Absent'. { ListDirectory |\r\n  ReadData | WriteData | CreateFiles | CreateDirectories | AppendData |\r\n  ReadExtendedAttributes | WriteExtendedAttributes | Traverse | ExecuteFile |\r\n  DeleteSubdirectoriesAndFiles | ReadAttributes | WriteAttributes | Write |\r\n  Delete | ReadPermissions | Read | ReadAndExecute | Modify | ChangePermissions |\r\n  TakeOwnership | Synchronize | FullControl }\r\n* **`[String]` Ensure** _(Write)_: Present to create the rule, Absent to\r\n  remove an existing rule. Default value is 'Present'. { *Present* | Absent }\r\n* **`[Boolean]` ProcessOnlyOnActiveNode** _(Write)_: Specifies that the resource\r\n  will only determine if a change is needed if the target node is the active host\r\n  of the filesystem object. The user the configuration is run as must have\r\n  permission to the Windows Server Failover Cluster.\r\n* **`[Boolean]` IsActiveNode** _(Read)_: Determines if the current node\r\n  is actively hosting the filesystem object. This will always return\r\n  $true if ProcessOnlyOnActiveNode is not set or the value of\r\n  ProcessOnlyOnActiveNode is set to $false.\r\n\r\nPlease refer to [this article](http://technet.microsoft.com/en-us/library/dd883248(v=ws.10).aspx)\r\nfor the effects and security impact of Enhanced Security Configuration.\r\n\r\n## Examples\r\n\r\n### Disable User Account Control\r\n\r\nThis configuration will never show the UAC prompt and will disable all\r\nUser Account Control settings. This setting when changed requires a restart\r\nof the computer.\r\n\r\n```powershell\r\nConfiguration NeverNotifyAndDisableAll\r\n{\r\n    Import-DSCResource -Module MSFT_xSystemSecurity -Name xUac\r\n\r\n    Node localhost\r\n    {\r\n        xUAC NeverNotifyAndDisableAll\r\n        {\r\n            Setting = \"NeverNotifyAndDisableAll\"\r\n        }\r\n    }\r\n}\r\n```\r\n\r\n### Disable IE Enhanced Security Configuration\r\n\r\nThis configuration will disable IE Enhanced Security Configuration.\r\n\r\n```powershell\r\nConfiguration DisableLocalIEEsc\r\n{\r\n    Import-DSCResource -Module MSFT_xSystemSecurity -Name xIEEsc\r\n\r\n    Node localhost\r\n    {\r\n        xIEEsc DisableIEEsc\r\n        {\r\n            IsEnabled = $false\r\n            UserRole = \"Users\"\r\n        }\r\n    }\r\n}\r\n```\r\n\r\n### Sets a permission on a specific folder\r\n\r\nThis configuration will grant the network service account full control\r\nover the directory.\r\n\r\n```powershell\r\nConfiguration FullControlExample\r\n{\r\n    Import-DSCResource -Module MSFT_xSystemSecurity\r\n\r\n    Node localhost\r\n    {\r\n        xFileSystemAccessRule FullControlExample\r\n        {\r\n            Path = \"$env:SystemDrive\\some\\path\"\r\n            Identity = \"NT AUTHORITY\\NETWORK SERVICE\"\r\n            Rights = @(\"FullControl\")\r\n        }\r\n    }\r\n}\r\n```\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsccommunity%2Fxsystemsecurity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdsccommunity%2Fxsystemsecurity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsccommunity%2Fxsystemsecurity/lists"}