search

dsccommunity / SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies
MIT License
177 stars 53 forks source link

SecurityOption: possible values for Network_Security_Restrict_NTLM_Audit_Incoming_NTLM_Traffic are incorrect #144

Closed NemoDima closed 4 years ago

NemoDima commented 4 years ago

Details of the scenario you tried and the problem that is occurring

In readme Possible values for _Network_Security_Restrict_NTLM_Audit_Incoming_NTLMTraffic are incorrect. Wrote: _[String] Network_Security_Restrict_NTLM_Incoming_NTLMTraffic (Write) : Please see the link above for a full description. { Enable auditing for domain accounts | Enable auditing for all accounts | Disabled }

Should be: _[Network_Security_Restrict_NTLM_Incoming_NTLMTraffic = [string]{ Allow all | Deny all accounts | Deny all domain accounts }]

Verbose logs showing the problem

SecurityPolicyDsc\SecurityOption : At least one of the values 'Disabled' is not supported or valid for property 'Network_Security_Res
trict_NTLM_Incoming_NTLM_Traffic' on class 'SecurityOption'. Please specify only supported values: 
Allow all, Deny all domain accounts, Deny all accounts.
At line:207 char:9
+         SecurityOption SetAcountPolicyForRDP
+         ~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnsupportedValueForProperty,SecurityPolicyDsc\SecurityOption

Compilation errors occurred while processing configuration 'Basic_settings'. Please review the errors reported in error stream and mo
dify your configuration code appropriately.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917 char:5
+     throw $ErrorRecord
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Basic_settings:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration

Suggested solution to the issue

Check possible values for all parametrs and update readme file.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

SecurityOption SetAcountPolicyForRDP
{
    Name = 'ForRDP'
    Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only = 'Enabled'
    Network_Security_Restrict_NTLM_Incoming_NTLM_Traffic = 'Disabled'
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2016 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 14393.1794.amd64fre.rs1_release.171008-1615
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

PSVersion                      5.1.14393.1884                                                                                        
PSEdition                      Desktop                                                                                               
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                               
BuildVersion                   10.0.14393.1884                                                                                       
CLRVersion                     4.0.30319.42000                                                                                       
WSManStackVersion              3.0                                                                                                   
PSRemotingProtocolVersion      2.3                                                                                                   
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

current

X-Guardian commented 4 years ago

Hi @NemoDima, this was fixed as part of PR #137.

NemoDima commented 4 years ago

Hi @X-Guardian If so, thank you a lot for the fix!