-
-
Save frankiem-4/394a781fd2aff6e99c3f59e36af4c2b8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#requires -Version 4.0 | |
<# | |
Author: Luke Murray (Luke.Geek.NZ) | |
Version: 0.1 | |
Purpose: Windows 10 Baseline Hardening using DSC per DoD DISA STIG recommendations 22/06/18. | |
Modified to include comments explaining config by Frankie McDonough 01/23/19. | |
#> | |
Configuration 'Win10' | |
{ | |
Import-DscResource -ModuleName PSDesiredStateConfiguration | |
Node localhost | |
{ | |
# Enhanced anti-spoofing provides additional protections when using facial recognition with devices that support it. | |
# (https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63677) | |
Registry 'EnhancedAntiSpoofing' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures' | |
ValueName = 'EnhancedAntiSpoofing' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Sets default value to longer key lengths | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-74413) | |
Registry 'EccCurves' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' | |
ValueName = 'EccCurves' | |
ValueType = 'MultiString' | |
ValueData = 'System.String[]' | |
} | |
# Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds. | |
# (https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63743) | |
Registry 'DisableEnclosureDownload' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds' | |
ValueName = 'DisableEnclosureDownload' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
#Passwords save locally for re-use when browsing may be subject to compromise. | |
# (https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-63709) | |
Registry 'FormSuggest Passwords' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main' | |
ValueName = 'FormSuggest Passwords' | |
ValueType = 'String' | |
ValueData = 'no' | |
} | |
# The InPrivate browsing feature in Microsoft Edge prevents the storing of history, cookies, temporary Internet files, or other data. | |
# (https://www.stigviewer.com/stig/windows_10/2017-04-28/finding/V-63705) | |
Registry 'AllowInPrivate' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main' | |
ValueName = 'AllowInPrivate' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# The SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites and file downloads. | |
# (https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-63699) | |
Registry 'PreventOverride' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter' | |
ValueName = 'PreventOverride' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# The Windows Defender SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites and file downloads. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63701) | |
Registry 'PreventOverrideAppRepUnknown' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter' | |
ValueName = 'PreventOverrideAppRepUnknown' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# The SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites. | |
# (https://www.stigviewer.com/stig/windows_10/2016-11-03/finding/V-63713) | |
Registry 'EnabledV9' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter' | |
ValueName = 'EnabledV9' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Clearing browser data on exit automatically deletes specified items when the last browser window closes. | |
# (https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-74415) | |
Registry 'ClearBrowsingHistoryOnExit' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Privacy' | |
ValueName = 'ClearBrowsingHistoryOnExit' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftPassportForWork::MSPassport_RequireSecurityDevice) | |
Registry 'TPM12' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\ExcludeSecurityDevices' | |
ValueName = 'TPM12' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Windows allows the use of PINs as well as biometrics for authentication without sending a password to a network or website where it could be compromised. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63721) | |
Registry 'MinimumPINLength' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity' | |
ValueName = 'MinimumPINLength' | |
ValueType = 'DWord' | |
ValueData = '6' | |
} | |
# The use of a Trusted Platform Module (TPM) to store keys for Windows Hello for Business provides additional security. | |
# (https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63717) | |
Registry 'RequireSecurityDevice' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork' | |
ValueName = 'RequireSecurityDevice' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery). | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63645) | |
Registry 'DCSettingIndex' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' | |
ValueName = 'DCSettingIndex' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in). | |
# (https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-63649) | |
Registry 'ACSettingIndex' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' | |
ValueName = 'ACSettingIndex' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Some features may communicate with the vendor, sending system information or downloading data or components for the feature. | |
# (https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63663) | |
Registry 'DisableInventory' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat' | |
ValueName = 'DisableInventory' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Microsoft consumer experiences provides suggestions and notifications to users which may include the installation of Windows Store apps. | |
# (https://www.stigviewer.com/stig/windows_10/2016-11-03/finding/V-71771) | |
Registry 'DisableWindowsConsumerFeatures' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CloudContent' | |
ValueName = 'DisableWindowsConsumerFeatures' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# An exportable version of credentials is provided to remote hosts when using credential delegation which exposes them to theft on the remote host. | |
# (https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-74699) | |
Registry 'AllowProtectedCreds' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation' | |
ValueName = 'AllowProtectedCreds' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), | |
# Defender and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services. | |
# (https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63683) | |
Registry 'AllowTelemetry' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection' | |
ValueName = 'AllowTelemetry' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Windows 10 allows Windows Update to obtain updates from additional sources instead of Microsoft. | |
# (https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-65681) | |
Registry 'DODownloadMode' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization' | |
ValueName = 'DODownloadMode' | |
ValueType = 'DWord' | |
ValueData = '2' | |
} | |
# Virtualization based protection of code integrity enforces kernel mode memory protections as well as protecting Code Integrity validation paths. | |
# (https://www.stigviewer.com/stig/windows_10/2015-11-30/finding/V-63603) | |
Registry 'HypervisorEnforcedCodeIntegrity' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
ValueName = 'HypervisorEnforcedCodeIntegrity' | |
ValueType = 'DWord' | |
ValueData = '2' | |
} | |
# Virtualization Based Security (VBS) provides the platform for the additional security features, Credential Guard and Virtualization based protection of code integrity. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63595) | |
Registry 'EnableVirtualizationBasedSecurity' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
ValueName = 'EnableVirtualizationBasedSecurity' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::VirtualizationBasedSecurity) | |
Registry 'HVCIMATRequired' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
ValueName = 'HVCIMATRequired' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::VirtualizationBasedSecurity) | |
Registry 'LsaCfgFlags' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
ValueName = 'LsaCfgFlags' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Specifies whether Virtualization Based Security is enabled. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::VirtualizationBasedSecurity) | |
Registry 'RequirePlatformSecurityFeatures' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
ValueName = 'RequirePlatformSecurityFeatures' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63519) | |
Registry 'MaxSize' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application' | |
ValueName = 'MaxSize' | |
ValueType = 'DWord' | |
ValueData = '32768' | |
} | |
# Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel. | |
# (https://www.stigviewer.com/stig/windows_10/2015-11-30/finding/V-63523) | |
Registry 'MaxSize1' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security' | |
ValueName = 'MaxSize' | |
ValueType = 'DWord' | |
ValueData = '1024000' | |
} | |
# Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63527) | |
Registry 'MaxSize2' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System' | |
ValueName = 'MaxSize' | |
ValueType = 'DWord' | |
ValueData = '32768' | |
} | |
# Allowing autoplay to execute may introduce malicious code to a system. | |
# (https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-63667) | |
Registry 'NoAutoplayfornonVolume' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer' | |
ValueName = 'NoAutoplayfornonVolume' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Windows Game Recording and Broadcasting is intended for use with games, however it could potentially record screen shots of other applications and expose sensitive data. | |
# https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-74417 | |
Registry 'AllowGameDVR' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameDVR' | |
ValueName = 'AllowGameDVR' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. | |
# It overrides customized settings that the program implementing a registry policy set when it was installed. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.GroupPolicy::CSE_Registry) | |
Registry 'NoBackgroundPolicy' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' | |
ValueName = 'NoBackgroundPolicy' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. | |
# It overrides customized settings that the program implementing a registry policy set when it was installed. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.GroupPolicy::CSE_Registry) | |
Registry 'NoGPOListChanges' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' | |
ValueName = 'NoGPOListChanges' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features. | |
# (https://www.stigviewer.com/stig/windows_10/2015-11-30/finding/V-63321) | |
Registry 'EnableUserControl' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer' | |
ValueName = 'EnableUserControl' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Standard user accounts must not be granted elevated privileges. | |
# (https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974) | |
Registry 'AlwaysInstallElevated' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer' | |
ValueName = 'AlwaysInstallElevated' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63569) | |
Registry 'AllowInsecureGuestAuth' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation' | |
ValueName = 'AllowInsecureGuestAuth' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Internet connection sharing makes it possible for an existing internet connection, such as through wireless, to be shared and used by other systems essentially creating a mobile hotspot. | |
# (https://www.stigviewer.com/stig/windows_10/2016-11-03/finding/V-71765) | |
Registry 'NC_ShowSharedAccessUI' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections' | |
ValueName = 'NC_ShowSharedAccessUI' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in Hardened UNC paths before allowing access them. | |
# This aids in preventing tampering with or spoofing of connections to these paths. | |
# (https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63577) | |
Registry '\\*\NETLOGON' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' | |
ValueName = '\\*\NETLOGON' | |
ValueType = 'String' | |
ValueData = 'RequireMutualAuthentication=1,RequireIntegrity=1' | |
} | |
# Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in Hardened UNC paths before allowing access them. | |
# This aids in preventing tampering with or spoofing of connections to these paths. | |
# (https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63577) | |
Registry '\\*\SYSVOL' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' | |
ValueName = '\\*\SYSVOL' | |
ValueType = 'String' | |
ValueData = 'RequireMutualAuthentication=1,RequireIntegrity=1' | |
} | |
# OneDrive provides access to external services for data storage which must not be used. Enabling this setting will prevent such access from the OneDrive app, as well as from File Explorer. | |
# (https://www.stigviewer.com/stig/windows_10/2015-11-30/finding/V-63725) | |
Registry 'DisableFileSyncNGSC' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive' | |
ValueName = 'DisableFileSyncNGSC' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Enabling camera access from the lock screen could allow for unauthorized use. Requiring logon will ensure the device is only used by authorized personnel. | |
# (https://www.stigviewer.com/stig/windows_10/2015-11-30/finding/V-63545) | |
Registry 'NoLockScreenCamera' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization' | |
ValueName = 'NoLockScreenCamera' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. | |
# (https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63549) | |
Registry 'NoLockScreenSlideshow' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization' | |
ValueName = 'NoLockScreenSlideshow' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system. | |
# (https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-68819) | |
Registry 'EnableScriptBlockLogging' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' | |
ValueName = 'EnableScriptBlockLogging' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Enabling Windows Defender SmartScreen will warn or prevent users from running potentially malicious programs. | |
# (https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685) | |
Registry 'ShellSmartScreenLevel' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' | |
ValueName = 'ShellSmartScreenLevel' | |
ValueType = 'String' | |
ValueData = 'Block' | |
} | |
# Enabling interaction with the network selection UI allows users to change connections to available networks without signing into Windows. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63629) | |
Registry 'DontDisplayNetworkSelectionUI' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' | |
ValueName = 'DontDisplayNetworkSelectionUI' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsLogon::EnumerateLocalUsers) | |
Registry 'EnumerateLocalUsers' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' | |
ValueName = 'EnumerateLocalUsers' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Enabling Windows Defender SmartScreen will warn or prevent users from running potentially malicious programs. | |
# (https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685) | |
Registry 'EnableSmartScreen' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' | |
ValueName = 'EnableSmartScreen' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# When connected to a domain, communication must go through the domain connection. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63585) | |
Registry 'fBlockNonDomain' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' | |
ValueName = 'fBlockNonDomain' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63751) | |
Registry 'AllowIndexingEncryptedStoresOrItems' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search' | |
ValueName = 'AllowIndexingEncryptedStoresOrItems' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Basic authentication uses plain text passwords that could be used to compromise a system. | |
# (https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000123) | |
Registry 'AllowBasic' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client' | |
ValueName = 'AllowBasic' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. | |
# (https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63341) | |
Registry 'AllowDigest' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client' | |
ValueName = 'AllowDigest' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Unencrypted remote access to a system can allow sensitive information to be compromised. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63339) | |
Registry 'AllowUnencryptedTraffic' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client' | |
ValueName = 'AllowUnencryptedTraffic' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Basic authentication uses plain text passwords that could be used to compromise a system. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63347) | |
Registry 'AllowBasic1' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service' | |
ValueName = 'AllowBasic' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins. | |
# (https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-63375) | |
Registry 'DisableRunAs' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service' | |
ValueName = 'DisableRunAs' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Unencrypted remote access to a system can allow sensitive information to be compromised. | |
# (https://www.stigviewer.com/stig/windows_10/2016-11-03/finding/V-63369) | |
Registry 'AllowUnencryptedTraffic1' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service' | |
ValueName = 'AllowUnencryptedTraffic' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# Some features may communicate with the vendor, sending system information or downloading data or components for the feature. | |
# (https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63623) | |
Registry 'DisableHTTPPrinting' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers' | |
ValueName = 'DisableHTTPPrinting' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. | |
# (https://www.stigviewer.com/stig/windows_10/2016-11-03/finding/V-63615) | |
Registry 'DisableWebPnPDownload' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers' | |
ValueName = 'DisableWebPnPDownload' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections. | |
# (https://www.stigviewer.com/stig/windows_10/2015-11-30/finding/V-63657) | |
Registry 'RestrictRemoteClients' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc' | |
ValueName = 'RestrictRemoteClients' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# If you do not configure this policy setting, users can turn on or turn off Solicited | |
# (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.RemoteAssistance::RA_Solicit) | |
Registry 'fAllowFullControl' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'fAllowFullControl' | |
ValueType = 'String' | |
ValueData = ' ' | |
} | |
# The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.RemoteAssistance::RA_Solicit) | |
Registry 'MaxTicketExpiryUnits' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'MaxTicketExpiryUnits' | |
ValueType = 'String' | |
ValueData = ' ' | |
} | |
# If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.RemoteAssistance::RA_Solicit) | |
Registry 'fAllowToGetHelp' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'fAllowToGetHelp' | |
ValueType = 'DWord' | |
ValueData = '0' | |
} | |
# The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.RemoteAssistance::RA_Solicit) | |
Registry 'fUseMailto' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'fUseMailto' | |
ValueType = 'String' | |
ValueData = ' ' | |
} | |
# The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. | |
# (https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.RemoteAssistance::RA_Solicit) | |
Registry 'MaxTicketExpiry' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'MaxTicketExpiry' | |
ValueType = 'String' | |
ValueData = ' ' | |
} | |
# Remote connections must be encrypted to prevent interception of data or sensitive information. | |
# Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions. | |
# (https://www.stigviewer.com/stig/windows_10/2016-11-03/finding/V-63741) | |
Registry 'MinEncryptionLevel' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'MinEncryptionLevel' | |
ValueType = 'DWord' | |
ValueData = '3' | |
} | |
# The system must be configured to prevent users from saving passwords in the Remote Desktop Client. | |
# (https://www.stigviewer.com/stig/windows_10/2015-11-30/finding/V-63729) | |
Registry 'DisablePasswordSaving' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'DisablePasswordSaving' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Allowing unsecure RPC communication exposes the system to man in the middle attacks and data disclosure attacks. | |
# (https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63737) | |
Registry 'fEncryptRPCTraffic' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'fEncryptRPCTraffic' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# Preventing users from sharing the local drives on their client computers to Remote Session Hosts that they access helps reduce possible exposure of sensitive data. | |
# (https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63731) | |
Registry 'fDisableCdm' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'fDisableCdm' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
# This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. | |
# (https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-3453) | |
Registry 'fPromptForPassword' { | |
Ensure = 'Present' | |
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
ValueName = 'fPromptForPassword' | |
ValueType = 'DWord' | |
ValueData = '1' | |
} | |
} | |
} | |
Win10 | |
#Start-DscConfiguration -Path ./Win10 -Wait -Verbose -Force |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment