{"id":21002793,"url":"https://github.com/kpn-puppet/puppet-kpn-local_security_policy","last_synced_at":"2025-05-15T00:31:30.105Z","repository":{"id":31840614,"uuid":"129109108","full_name":"kpn-puppet/puppet-kpn-local_security_policy","owner":"kpn-puppet","description":"Puppet module to manage Local Security Policies on Windows Server 2008R2 and upwards","archived":false,"fork":false,"pushed_at":"2024-09-10T12:27:45.000Z","size":59,"stargazers_count":1,"open_issues_count":11,"forks_count":7,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-09-11T12:30:04.839Z","etag":null,"topics":["puppet","security","windows"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kpn-puppet.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-04-11T14:46:11.000Z","updated_at":"2024-09-10T11:32:40.000Z","dependencies_parsed_at":"2024-09-09T10:44:50.769Z","dependency_job_id":"bc7c3d4a-a8a4-443f-9c38-1fb6cfb4263d","html_url":"https://github.com/kpn-puppet/puppet-kpn-local_security_policy","commit_stats":{"total_commits":4,"total_committers":2,"mean_commits":2.0,"dds":0.25,"last_synced_commit":"0203992e50ab50ccb2f6c9bf72a03d1486b8278d"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpn-puppet%2Fpuppet-kpn-local_security_policy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpn-puppet%2Fpuppet-kpn-local_security_policy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpn-puppet%2Fpuppet-kpn-local_security_policy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpn-puppet%2Fpuppet-kpn-local_security_policy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kpn-puppet","download_url":"https://codeload.github.com/kpn-puppet/puppet-kpn-local_security_policy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225317154,"owners_count":17455384,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["puppet","security","windows"],"created_at":"2024-11-19T08:19:59.174Z","updated_at":"2024-11-19T08:20:00.867Z","avatar_url":"https://github.com/kpn-puppet.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Puppet Local Security Policy\nForked from [git@github.com:logicminds/local_security_policy.git](git@github.com:logicminds/local_security_policy.git)\n\n## Local_security_policy features\n\nConfigure, local security policy (LSP) for windows servers.\nLSP is key to a baseline configuration of the following security features:\n\n### Account Policy\n\n- Password Policy\n- Account Lockout Policy\n\n### Local Policy\n\n- Audit Policy\n- User Rights Assignment\n- Security Options\n- Registry Values\n\nThis module uses types and providers to list, update, validate settings\n\n## Use\n\nThe title and name of the resources is an exact match of what is in `secpol.msc` GUI. If you are uncertain of the setting name and values just use `puppet resource local_security_policy` to list all configured settings.\n\nA block will look like this:\n\n``` puppet\nlocal_security_policy { 'Audit account logon events': \u003c- Title / Name\n  ensure         =\u003e present,              \u003c- Usually set to present. Can be set to absent for some policy settings.\n  policy_setting =\u003e \"AuditAccountLogon\",  \u003c- The secedit file key. Informational purposes only, not for use in manifest definitions\n  policy_type    =\u003e \"Event Audit\",        \u003c- The secedit file section, Informational purposes only, not for use in manifest definitions\n  policy_value   =\u003e 'Success,Failure',    \u003c- Values\n}\n```\n\n### Listing all settings\n\nShow all local_security_policy resources available on server\n\n``` cmd\npuppet resource local_security_policy\n```\n\nShow a single local_security_policy resources available on server\n\n``` cmd\npuppet resource local_security_policy 'Maximum password age'\n```\n\n### More examples\n\n#### Example Password Policy\n\n``` puppet\nlocal_security_policy { 'Maximum password age':\n  ensure       =\u003e 'present',\n  policy_value =\u003e '90',\n}\n```\n\nSets the policy_value of 'Maximum password age' to '90'.\n\n#### Example Audit Policy\n\n``` puppet\nlocal_security_policy { 'Audit account logon events':\n  ensure       =\u003e 'present',\n  policy_value =\u003e 'Success,Failure',\n}\n```\n\n#### Example User Rights Policy\n\n``` puppet\nlocal_security_policy { 'Allow log on locally':\n  ensure       =\u003e present,\n  policy_value =\u003e 'Administrators, MyDomain\\Domain Admins',\n}\n```\n\n``` puppet\nlocal_security_policy { 'Allow log on through Remote Desktop Services':\n  ensure       =\u003e 'present',\n  policy_value =\u003e 'Administrators,Remote Desktop Users',\n}\n```\n\n#### Example Security Settings\n\n``` puppet\nlocal_security_policy { 'System cryptography: Use FIPS compiant algorithms for encryption, hashing, and signing':\n  ensure       =\u003e 'present',\n  policy_value =\u003e 'enabled',\n}\n```\n\nWhen you can select an option, specify the exact option as displayed in the `secpol.msc` GUI.\n\n``` puppet\nlocal_security_policy { 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode':\n  ensure       =\u003e 'present',\n  policy_value =\u003e 'Elevate without prompting',\n}\n```\n\n### Full list of settings available\n\n``` puppet\nEnforce password history\nMaximum password age\nMinimum password age\nMinimum password length\nPassword must meet complexity requirements\nRelax minimum password length limits\nStore passwords using reversible encryption\nAccount lockout duration\nAccount lockout threshold\nReset account lockout counter after\nAudit account logon events\nAudit account management\nAudit directory service access\nAudit logon events\nAudit object access\nAudit policy change\nAudit privilege use\nAudit process tracking\nAudit system events\nAccess Credential Manager as a trusted caller\nAccess this computer from the network\nAct as part of the operating system\nAdd workstations to domain\nAdjust memory quotas for a process\nAllow log on locally\nAllow log on through Remote Desktop Services\nBack up files and directories\nBypass traverse checking\nChange the system time\nChange the time zone\nCreate a pagefile\nCreate a token object\nCreate global objects\nCreate permanent shared objects\nCreate symbolic links\nDebug programs\nDeny access to this computer from the network\nDeny log on as a batch job\nDeny log on as a service\nDeny log on locally\nDeny log on through Remote Desktop Services\nEnable computer and user accounts to be trusted for delegation\nForce shutdown from a remote system\nGenerate security audits\nImpersonate a client after authentication\nIncrease a process working set\nIncrease scheduling priority\nLoad and unload device drivers\nLock pages in memory\nLog on as a batch job\nLog on as a service\nManage auditing and security log\nModify an object label\nModify firmware environment values\nPerform volume maintenance tasks\nProfile single process\nProfile system performance\nRemove computer from docking station\nReplace a process level token\nRestore files and directories\nShut down the system\nSynchronize directory service data\nTake ownership of files or other objects\nAccounts: Administrator account status\nAccounts: Guest account status\nAccounts: Limit local account use of blank passwords to console logon only\nAccounts: Rename administrator account\nAccounts: Rename guest account\nAudit: Audit the access of global system objects\nAudit: Audit the use of Backup and Restore privilege\nAudit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\nAudit: Shut down system immediately if unable to log security audits\nDCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax\nDCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax\nDevices: Allow undock without having to log on\nDevices: Allowed to format and eject removable media\nDevices: Prevent users from installing printer drivers\nDevices: Restrict CD-ROM access to locally logged-on user only\nDevices: Restrict floppy access to locally logged-on user only\nDomain controller: Allow server operators to schedule tasks\nDomain controller: LDAP server channel binding token requirements\nDomain controller: LDAP server signing requirements\nDomain controller: Refuse machine account password changes\nDomain member: Digitally encrypt or sign secure channel data (always)\nDomain member: Digitally encrypt secure channel data (when possible)\nDomain member: Digitally sign secure channel data (when possible)\nDomain member: Disable machine account password changes\nDomain member: Maximum machine account password age\nDomain member: Require strong (Windows 2000 or later) session key\nInteractive logon: Display user information when the session is locked\nInteractive logon: Do not display last user name\nInteractive logon: Do not require CTRL+ALT+DEL\nInteractive logon: Message title for users attempting to log on\nInteractive logon: Message text for users attempting to log on\nInteractive logon: Number of previous logons to cache (in case domain controller is not available)\nInteractive logon: Prompt user to change password before expiration\nInteractive logon: Require Domain Controller authentication to unlock workstation\nInteractive logon: Require smart card\nInteractive logon: Smart card removal behavior\nInteractive logon: Machine inactivity limit\nInteractive logon: Machine account lockout threshold\nMicrosoft network client: Digitally sign communications (always)\nMicrosoft network client: Digitally sign communications (if server agrees)\nMicrosoft network client: Send unencrypted password to third-party SMB servers\nMicrosoft network server: Amount of idle time required before suspending session\nMicrosoft network server: Digitally sign communications (always)\nMicrosoft network server: Digitally sign communications (if client agrees)\nMicrosoft network server: Disconnect clients when logon hours expire\nMicrosoft network server: Server SPN target name validation level\nNetwork access: Allow anonymous SID/name translation\nNetwork access: Do not allow anonymous enumeration of SAM accounts\nNetwork access: Do not allow anonymous enumeration of SAM accounts and shares\nNetwork access: Do not allow storage of passwords and credentials for network authentication\nNetwork access: Let Everyone permissions apply to anonymous users\nNetwork access: Named Pipes that can be accessed anonymously\nNetwork access: Remotely accessible registry paths\nNetwork access: Remotely accessible registry paths and sub-paths\nNetwork access: Restrict anonymous access to Named Pipes and Shares\nNetwork access: Shares that can be accessed anonymously\nNetwork access: Sharing and security model for local accounts\nNetwork security: Do not store LAN Manager hash value on next password change\nNetwork security: Force logoff when logon hours expire\nNetwork security: LAN Manager authentication level\nNetwork security: LDAP client signing requirements\nNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients\nNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers\nRecovery console: Allow automatic administrative logon\nRecovery console: Allow floppy copy and access to all drives and all folders\nShutdown: Allow system to be shut down without having to log on\nShutdown: Clear virtual memory pagefile\nSystem cryptography: Force strong key protection for user keys stored on the computer\nSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing\nSystem objects: Require case insensitivity for non-Windows subsystems\nSystem objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)\nSystem settings: Optional subsystems\nSystem settings: Use Certificate Rules on Windows Executables for Software Restriction Policies\nUser Account Control: Admin Approval Mode for the Built-in Administrator account\nUser Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop\nUser Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode\nUser Account Control: Behavior of the elevation prompt for standard users\nUser Account Control: Detect application installations and prompt for elevation\nUser Account Control: Only elevate executable files that are signed and validated\nUser Account Control: Only elevate UIAccess applications that are installed in secure locations\nUser Account Control: Run all administrators in Admin Approval Mode\nUser Account Control: Switch to the secure desktop when prompting for elevation\nUser Account Control: Virtualize file and registry write failures to per-user locations\n```\n\n## How this works\n\nThe local_security_policy works by using `secedit /export` to export a list of currently set policies.  The module will then\ntake the user defined resource and compare the values against the exported policies.  If the values on the system do not match\nthe defined resource, the module will run `secedit /configure` to configure the policy on the system.  If the policy already\nexists on the system no change will be made.\n\nIn order to make setting these polices easier, this module has extracted some of the difficult to lookup or remember pieces\nof a policy and placed them in a map for easy translation and value conversion.  This means that you only need to remember the user\ninstead of the sid value, as well as the policy description instead of the special key that needs to be set.  The mappings\nbelow define how this translation works.  If there is no map for your policy you will need to add to `lib/puppet_x/lsp/security_policy.rb`\n\n``` puppet\n'Accounts: Rename administrator account' =\u003e {\n  :name        =\u003e 'NewAdministratorName',\n  :policy_type =\u003e 'System Access',\n  :data_type   =\u003e :quoted_string\n},\n'Recovery console: Allow floppy copy and access to all drives and all folders' =\u003e {\n  :name        =\u003e 'MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Setup\\RecoveryConsole\\SetCommand',\n  :reg_type    =\u003e '4',\n  :policy_type =\u003e 'Registry Values',\n},\n```\n\nThe key `Accounts: Rename administrator account` in the first hash is what the user will define as the name in the resource name.\nInstead of remembering the policy name, the description will help us remember what the policy is for.  When defining new policy\nmaps you will need to define the key, name, policy_type, and optionally, data_type or reg_type.\n\nCurrently for data_type there is `:string`, `:integer`, `:boolean` or `:multi_select`.  For reg_type (integer value) there are many values which are listed below:\n\n``` puppet\n    REG_NONE 0\n    REG_SZ 1\n    REG_EXPAND_SZ 2\n    REG_BINARY 3\n    REG_DWORD 4\n    REG_DWORD_LITTLE_ENDIAN 4\n    REG_DWORD_BIG_ENDIAN 5\n    REG_LINK 6\n    REG_MULTI_SZ 7\n    REG_RESOURCE_LIST 8\n    REG_FULL_RESOURCE_DESCRIPTOR 9\n    REG_RESOURCE_REQUIREMENTS_LIST 10\n    REG_QWORD 11\n    REG_QWORD_LITTLE_ENDIAN 11\n```\n\n## TODO: Future release\n\n- Handle unsupported policies\n## Limitations\nThis is where you list OS compatibility, version compatibility, etc.\n\nThis module works on:\n\n- Windows 2012 R2\n- Windows 2016\n- Windows 2019\n- Windows 2022\n\n## Development\n\nYou can contribute by submitting issues, providing feedback and joining the discussions.\n\nGo to: `https://github.com/kpn-puppet/puppet-kpn-local_security_policy`\n\nIf you want to fix bugs, add new features etc:\n- Fork it\n- Create a feature branch ( git checkout -b my-new-feature )\n- Apply your changes and update rspec tests\n- Run rspec tests ( pdk validate/pdk test unit)\n- Commit your changes ( git commit -am 'Added some feature' )\n- Push to the branch ( git push origin my-new-feature )\n- Create new Pull Request\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpn-puppet%2Fpuppet-kpn-local_security_policy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkpn-puppet%2Fpuppet-kpn-local_security_policy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpn-puppet%2Fpuppet-kpn-local_security_policy/lists"}