search

dsccommunity / SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies
MIT License
177 stars 53 forks source link

Minimum_Password_Length, Minimum_length_password_audit, Relax_minimum_password_length_limits #181

Open Node0Chr opened 2 years ago

Node0Chr commented 2 years ago

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

Suggested solution to the issue

# change $Minimum_Password_Length Validation Range in MSFT_AccountPolicy.psm1
        [Parameter()]
        [ValidateRange(0, 30)]
        [System.UInt32]
        $Minimum_Password_Length,

# Add Minimum_length_password_audit and Relax_minimum_password_length_limits to SecurityOptionData.psd1
    "Minimum_length_password_audit" = @{
        Value   = "MACHINE\System\CurrentControlSet\Control\SAM\MinimumPasswordLengthAudit"
        Section = 'Registry Values'
        Option  = @{
            String = '4,' # + <Length
        }
    }
    "Relax_minimum_password_length_limits" = @{
        Value   = "MACHINE\System\CurrentControlSet\Control\SAM\RelaxMinimumPasswordLengthLimits"
        Section = 'Registry Values'
        Option  = @{
            Enabled  = '4,1'
            Disabled = '4,0'
        }
    }

# add Minimum_length_password_audit and Relax_minimum_password_length_limits to MSFT_SecurityOption.psm1
        [Parameter()]
        [ValidateRange(0, 50)]
        [System.String]
        $Minimum_length_password_audit,

        [Parameter()]
        [ValidateSet("Enabled", "Disabled")]
        [System.String]
        $Relax_minimum_password_length_limits

# add description in MSFT_SecurityOption.schema.mof
     [Write, Description("This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 50.")] String Minimum_length_password_audit;
    [Write, Description("This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14."), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Relax_minimum_password_length_limits;

The DSC configuration that is used to reproduce the issue (as detailed as possible)

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used

3.0.0

Manbearpiet commented 2 months ago

@Node0Chr this helped me with CIS hardening compliance, thanks a bunch.