search

noma4i / puppet-windows-hardening

Hardening Standalone Windows Server installations. LIST OF RULES NOT A PLUGIN
13 stars 2 forks source link

repo #1

Open rismoney opened 10 years ago

rismoney commented 10 years ago

I am moving forward with this here-

https://github.com/rismoney/puppet-win-cis/tree/keylist

noma4i commented 10 years ago

My project currently is stopped. Btw check yours and can see that you just changing registry keys. Iv also was doing that but it is not working like expected. You changing CurrentControlSet but keys are spread around ControlSets end current has no effect on what you see in Local Computer Policy. Also you can't affect Security Policies via registry cause they are stored in another place. Machine hardened with registry manipulations is not passing audit with CIS benchmark tool and in some cases are not in effect even after reboot. Idea to use secedit is also not working because it has access only to 2% of rules. Powershell cmdlets are for domain members and not applicable to standalone win2012 server.

Currently Im using old tool which was excluded from win2003 and gives ability to dump local policies and apply them bulk. This has issue that I need to preconfigure VM and sync db dump for puppet. Benefit of this way is that rules are in effect right after applied. That is it.

rismoney commented 10 years ago

Ah, I see. I understand you stopping. I am at the edge of whether or not this is a good idea or not, but I digress for the time being. I have bigger visions regarding oval and scap integrations and tie in to vulnerability scanning. This is more an interim solution to my companies own auditing requirements.

At this point, I have not approached the remediation, but would anticipate it would be just a manifest of registry keys toggled by hiera for host targeting using reg provider and a potential new one I conjure up around wmi and user rights.

Most of the work I have done has been on the facter side, to report on the state, and create an exception handler, a tailor file of sort.

As far as CIS's too, I have not yet used the CIS benchmark tool, but that sounds like a problem with CIS if they are publishing a registry key modification and their tool does not inspect it properly. Also I am not familiar with registry changes not persisting after a reboot, so if you have an example I would be very interested in validating that.

Not sure what you mean by powershell cmdlets are for members. do they not work for workgroup pcs?

As far as entitlements, (local security policy) they can be handled via wmi calls. I haven't looked at a respective methods to effect the change. but a query is easy ie;

gwmi -Namespace root\rsop\computer -Class RSOP_UserPrivilegeRight -Property AccountList

Anyways- glad to see you have been messing around with puppet and windows. Kudos!