search

dsccommunity / SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies
MIT License
177 stars 53 forks source link

SendConfigurationApply function does not succeeds on account an AccountPolicy. #177

Open GerritH92 opened 2 years ago

GerritH92 commented 2 years ago

Details of the scenario you tried and the problem that is occurring

We use below resource in our guest configuration package for vms on Azure. When running the Get-GuestConfigurationPackageComplianceStatus with our package we get the error as seen in attached screenshot. The error says i cannot convert the string -1 to an int. But nowhere on the machine or the .mof file of the configuration the -1 value is stated. This causes the guest configuration to show as non-compliant is azure.

Anyone able to debug this or running into the same problem?

Verbose logs showing the problem

image

Suggested solution to the issue

Please help!

The DSC configuration that is used to reproduce the issue (as detailed as possible)

 # Source: https://github.com/PowerShell/SecurityPolicyDsc/blob/dev/Examples/Resources/AccountPolicy/1-AccountPolicy_Config.ps1
    AccountPolicy AccountPolicies {
         Name                                        = 'PasswordPolicies'
         # 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
         Enforce_password_history                    = 24
         # 1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'
         Maximum_Password_Age                        = 60
         # 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'
         Minimum_Password_Age                        = 1
         # 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'
         Minimum_Password_Length                     = 14
         # 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'
         Password_must_meet_complexity_requirements  = 'Enabled'
         # 1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
         Store_passwords_using_reversible_encryption = 'Disabled'
         # 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'
         Account_lockout_duration                    = 15
         # 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'
         Account_lockout_threshold                   = 10
         # 1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
         Reset_account_lockout_counter_after         = 15
      }

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter OsOperatingSystemSKU : DatacenterServerEdition OsArchitecture : 64-bit WindowsVersion : 1809 WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434 OsLanguage : en-US OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 7.2.0 PSEdition Core GitCommitId 7.2.0 OS Microsoft Windows 10.0.17763 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Version of the DSC module that was used

2.10.0

ixcdevops commented 1 year ago

I have seen this fail to apply when the account_lockout_duration is set to 0 in the configuration. If you update the dscresource module 'MSFT_AccountPolicy.psm1' to accept the range of values for this option to be (-1,99999) instead of (0,99999) for both the Set-TargetResource and Test-TargetResource functions. These are around lines 118 and 293 in the source.