Added functionality to test Local Security Policy Security Options

[markwragg]

• Added SecurityOption.ps1, based on AuditPolicy.ps1 but using code/techniques from the SecurityPolicyDsc module to validate the setting of the Local Security Policy > Local Policies > Security Options settings.
• Added SecurityOptionData.psd1 copied from SecurityPolicyDsc which is used to map the security options to friendly names for their possible settings so that they can be tested using friendly names,
• Added standard Pester tests for this new function.

Example usage:

Import-Module PoshSpec

Describe 'PoshSpec tests' {

    SecurityOption 'Domain member: Maximum machine account password age' { 
        Should -Be 30 
    }

    SecurityOption 'Accounts: Limit local account use of blank passwords to console logon only' {
        Should -Be Enabled
    }

    SecurityOption 'Devices: Allow undock without having to log on' {
        Should -Be Enabled
    }

    SecurityOption 'User Account Control: Virtualize file and registry write failures to per user locations' {
        Should -Be Enabled
    }

    SecurityOption  'Accounts: Administrator account status' { 
        Should -Be Disabled 
    }

    # Testing that a security option is in a "not defined" (e.g unset) state.
    SecurityOption 'Accounts: Block Microsoft accounts' {
        Should -Be $null 
    }
}

Happy to write a wiki article for this new functionality if/when this PR is accepted.

[markwragg]

It seems I can't contribute it directly, but here's the wiki page for this new function:

---

SecurityOption

SYNOPSIS

Test a Local Security Policy Security Option.

DESCRIPTION

Test the setting of a particular Local Security Policy Security Option, as visible in the Local Security Policy MMC under Local Policies > Security Options.

PARAMETERS

Target [String]

[Parameter(
  Mandatory = $true,
  Position = 1
)]

The value provided to -Target needs to be one of the following:

• Accounts: Administrator account status
• Accounts: Block Microsoft accounts
• Accounts: Guest account status
• Accounts: Limit local account use of blank passwords to console logon only
• Accounts: Rename administrator account
• Accounts: Rename guest account
• Audit: Audit the access of global system objects
• Audit: Audit the use of Backup and Restore privilege
• Audit: Force audit policy subcategory settings Windows Vista or later to override audit policy category settings
• Audit: Shut down system immediately if unable to log security audits
• DCOM: Machine Access Restrictions in Security Descriptor Definition Language SDDL syntax
• DCOM: Machine Launch Restrictions in Security Descriptor Definition Language SDDL syntax
• Devices: Allow undock without having to log on
• Devices: Allowed to format and eject removable media
• Devices: Prevent users from installing printer drivers
• Devices: Restrict CD ROM access to locally logged on user only
• Devices: Restrict floppy access to locally logged on user only
• Domain controller: Allow server operators to schedule tasks
• Domain controller: LDAP server signing requirements
• Domain controller: Refuse machine account password changes
• Domain member: Digitally encrypt or sign secure channel data always
• Domain member: Digitally encrypt secure channel data when possible
• Domain member: Digitally sign secure channel data when possible
• Domain member: Disable machine account password changes
• Domain member: Maximum machine account password age
• Domain member: Require strong Windows 2000 or later session key
• Interactive logon: Display user information when the session is locked
• Interactive logon: Do not display last user name
• Interactive logon: Do not require CTRL ALT DEL
• Interactive logon: Machine account lockout threshold
• Interactive logon: Machine inactivity limit
• Interactive logon: Message text for users attempting to log on
• Interactive logon: Message title for users attempting to log on
• Interactive logon: Number of previous logons to cache in case domain controller is not available
• Interactive logon: Prompt user to change password before expiration
• Interactive logon: Require Domain Controller authentication to unlock workstation
• Interactive logon: Require smart card
• Interactive logon: Smart card removal behavior
• Microsoft network client: Digitally sign communications always
• Microsoft network client: Digitally sign communications if server agrees
• Microsoft network client: Send unencrypted password to third party SMB servers
• Microsoft network server: Amount of idle time required before suspending session
• Microsoft network server: Attempt S4U2Self to obtain claim information
• Microsoft network server: Digitally sign communications always
• Microsoft network server: Digitally sign communications if client agrees
• Microsoft network server: Disconnect clients when logon hours expire
• Microsoft network server: Server SPN target name validation level
• Network access: Allow anonymous SID Name translation
• Network access: Do not allow anonymous enumeration of SAM accounts
• Network access: Do not allow anonymous enumeration of SAM accounts and shares
• Network access: Do not allow storage of passwords and credentials for network authentication
• Network access: Let Everyone permissions apply to anonymous users
• Network access: Named Pipes that can be accessed anonymously
• Network access: Remotely accessible registry paths
• Network access: Remotely accessible registry paths and subpaths
• Network access: Restrict anonymous access to Named Pipes and Shares
• Network access: Restrict clients allowed to make remote calls to SAM
• Network access: Shares that can be accessed anonymously
• Network access: Sharing and security model for local accounts
• Network security: Allow Local System to use computer identity for NTLM
• Network security: Allow LocalSystem NULL session fallback
• Network Security: Allow PKU2U authentication requests to this computer to use online identities
• Network security: Configure encryption types allowed for Kerberos
• Network security: Do not store LAN Manager hash value on next password change
• Network security: Force logoff when logon hours expire
• Network security: LAN Manager authentication level
• Network security: LDAP client signing requirements
• Network security: Minimum session security for NTLM SSP based including secure RPC clients
• Network security: Minimum session security for NTLM SSP based including secure RPC servers
• Network security: Restrict NTLM Add remote server exceptions for NTLM authentication
• Network security: Restrict NTLM Add server exceptions in this domain
• Network Security: Restrict NTLM Incoming NTLM Traffic
• Network Security: Restrict NTLM NTLM authentication in this domain
• Network Security: Restrict NTLM Outgoing NTLM traffic to remote servers
• Network Security: Restrict NTLM Audit Incoming NTLM Traffic
• Network Security: Restrict NTLM Audit NTLM authentication in this domain
• Recovery console: Allow automatic administrative logon
• Recovery console: Allow floppy copy and access to all drives and folders
• Shutdown: Allow system to be shut down without having to log on
• Shutdown: Clear virtual memory pagefile
• System cryptography: Force strong key protection for user keys stored on the computer
• System cryptography: Use FIPS compliant algorithms for encryption hashing and signing
• System objects: Require case insensitivity for non Windows subsystems
• System objects: Strengthen default permissions of internal system objects eg Symbolic Links
• System settings: Optional subsystems
• System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
• User Account Control: Admin Approval Mode for the Built in Administrator account
• User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
• User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
• User Account Control: Behavior of the elevation prompt for standard users
• User Account Control: Detect application installations and prompt for elevation
• User Account Control: Only elevate executables that are signed and validated
• User Account Control: Only elevate UIAccess applications that are installed in secure locations
• User Account Control: Run all administrators in Admin Approval Mode
• User Account Control: Switch to the secure desktop when prompting for elevation
• User Account Control: Virtualize file and registry write failures to per user locations

Should [ScriptBlock]

[Parameter(
  Mandatory = $true,
  Position = 2,
)]

You need to test against the friendly version of the result (as visible in the Local Security Policy MMC). For example Disabled or Enabled not 1 or 0 (per the registry).

If you want to validate that a setting is in a "Not Defined" state (e.g unset) you should test for $null.

Assertions

Assertions: Be, BeExactly, Match, MatchExactly

EXAMPLES

-------------------------- EXAMPLE 1 --------------------------

SecurityOption 'Accounts: Administrator account status' {
    Should -Be Disabled
}

-------------------------- EXAMPLE 2 --------------------------

SecurityOption 'Domain member: Maximum machine account password age' {
    Should -Be 30
}

-------------------------- EXAMPLE 3 --------------------------

SecurityOption 'Accounts: Block Microsoft accounts' {
    Should -Be $null
}

-------------------------- EXAMPLE 4 --------------------------

SecurityOption 'Network access: Sharing and security model for local accounts' {
    Should -Be 'Classic - local users authenticate as themselves'
}

[markwragg]

@cdhunt any news on whether this can be merged?