diff --git a/.kitchen.yml b/.kitchen.yml index 70f4f13..fe59329 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -41,4 +41,11 @@ suites: attributes: verifier: inspec_tests: - - https://github.com/dev-sec/windows-hardening-benchmark \ No newline at end of file + - https://github.com/dev-sec/windows-hardening-benchmark + + - name: CIS_2012r2_L1 + run_list: + - recipe[base-win2012-hardening::CIS_2012r2_L1] + verifier: + inspec_tests: + - test/integration/default \ No newline at end of file diff --git a/files/CIS_2012r2_L1_audit_settings.csv b/files/CIS_2012r2_L1_audit_settings.csv new file mode 100644 index 0000000..434988a --- /dev/null +++ b/files/CIS_2012r2_L1_audit_settings.csv @@ -0,0 +1,22 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Application Group Management,{0cce9239-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 \ No newline at end of file diff --git a/files/CIS_2012r2_L1_localComputer.inf b/files/CIS_2012r2_L1_localComputer.inf new file mode 100644 index 0000000..b7ab6ff --- /dev/null +++ b/files/CIS_2012r2_L1_localComputer.inf @@ -0,0 +1,67 @@ +[Unicode] +Unicode=yes +[System Access] +MinimumPasswordAge = 1 +MaximumPasswordAge = 60 +MinimumPasswordLength = 10 +PasswordComplexity = 1 +PasswordHistorySize = 24 +LockoutBadCount = 10 +ResetLockoutCount = 15 +LockoutDuration = 15 +RequireLogonToChangePassword = 0 +ForceLogoffWhenHourExpire = 1 +NewAdministratorName = "Administrator" +NewGuestName = "Guest" +ClearTextPassword = 0 +LSAAnonymousNameLookup = 0 +EnableAdminAccount = 1 +EnableGuestAccount = 0 +[Event Audit] +AuditSystemEvents = 1 +AuditLogonEvents = 0 +AuditObjectAccess = 0 +AuditPrivilegeUse = 0 +AuditPolicyChange = 0 +AuditAccountManage = 0 +AuditProcessTracking = 0 +AuditDSAccess = 0 +AuditAccountLogon = 0 +[Privilege Rights] +SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544 +SeBackupPrivilege = *S-1-5-32-544 +SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-90-0 +SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544 +SeCreatePagefilePrivilege = *S-1-5-32-544 +SeDebugPrivilege = *S-1-5-32-544 +SeRemoteShutdownPrivilege = *S-1-5-32-544 +SeAuditPrivilege = *S-1-5-19,*S-1-5-20 +SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544 +SeIncreaseBasePriorityPrivilege = *S-1-5-32-544 +SeLoadDriverPrivilege = *S-1-5-32-544 +SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559 +SeServiceLogonRight = *S-1-5-80-0 +SeInteractiveLogonRight = *S-1-5-32-544 +SeSecurityPrivilege = *S-1-5-32-544 +SeSystemEnvironmentPrivilege = *S-1-5-32-544 +SeProfileSingleProcessPrivilege = *S-1-5-32-544 +SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 +SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20 +SeRestorePrivilege = *S-1-5-32-544 +SeShutdownPrivilege = *S-1-5-32-544 +SeTakeOwnershipPrivilege = *S-1-5-32-544 +SeDenyNetworkLogonRight = *S-1-5-32-546 +SeDenyBatchLogonRight = *S-1-5-32-546 +SeDenyServiceLogonRight = *S-1-5-32-546 +SeDenyInteractiveLogonRight = *S-1-5-32-546 +SeUndockPrivilege = *S-1-5-32-544 +SeManageVolumePrivilege = *S-1-5-32-544 +SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555 +SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-568,*S-1-5-6 +SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 +SeIncreaseWorkingSetPrivilege = *S-1-5-32-545,*S-1-5-90-0 +SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544 +SeCreateSymbolicLinkPrivilege = *S-1-5-32-544 +[Version] +signature="$CHICAGO$" +Revision=1 diff --git a/metadata.rb b/metadata.rb index d50c696..1750abf 100644 --- a/metadata.rb +++ b/metadata.rb @@ -1,8 +1,7 @@ -name 'base-win2012-hardening' -maintainer 'Joe Gardiner' -maintainer_email 'joe@chef.io' -license 'all_rights' -description 'Hardneing cookbook for Windows 2012 R2' -long_description 'Remediates critical issues identified by the Windows base profile in Chef Compliance.' -version '0.7.1' - +name 'base-win2012-hardening' +maintainer 'Joe Gardiner' +maintainer_email 'joe@chef.io' +license 'all_rights' +description 'Hardneing cookbook for Windows 2012 R2' +long_description 'Remediates critical issues identified by the Windows base profile in Chef Compliance.' +version '0.7.1' diff --git a/recipes/CIS_2012r2_L1.rb b/recipes/CIS_2012r2_L1.rb new file mode 100644 index 0000000..8cd4669 --- /dev/null +++ b/recipes/CIS_2012r2_L1.rb @@ -0,0 +1,571 @@ +# +# Cookbook Name:: base-win2012-hardening +# Recipe:: CIS_2012r2_L1 +# +# Copyright (c) 2017 Matt Tunny, All Rights Reserved. +# +# Setting below break test-kitchen but required in production, Also this recipe does not include firewall settings. +# unless ENV['TEST_KITCHEN'] + +# NTLM Hardening -- This settings breaks WinRM +if node['NTLM_Harden'] == true + # System Policys + registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' do + values [{ name: 'LocalAccountTokenFilterPolicy', type: :dword, data: 0 }] # This breaks test-kitchen if enabled + action :create + end + # NTLM Hardening + registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' do + values [{ name: 'RestrictReceivingNTLMTraffic', type: :dword, data: 2 }, + { name: 'RestrictSendingNTLMTraffic', type: :dword, data: 2 }] + action :create + end +end + +# Winlogon Settings +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' do + values [{ name: 'PasswordExpiryWarning', type: :dword, data: 14 }, + { name: 'ScreenSaverGracePeriod', type: :string, data: 5 }, + { name: 'AllocateDASD', type: :string, data: 0 }, + { name: 'ScRemoveOption', type: :string, data: 1 }, + { name: 'ForceUnlockLogon', type: :string, data: 0 }, + { name: 'AutoAdminLogon', type: :string, data: 0 }, # This will stop auto login for kitchen tests + { name: 'CachedLogonsCount', type: :string, data: 4 }] + action :create +end + +# LSA settings +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' do + values [ # { name: 'fullprivilegeauditing', type: :binary, data: 01 }, Removed due to 31 value being passed through chef, added powershell script below + { name: 'AuditBaseObjects', type: :dword, data: 1 }, + { name: 'scenoapplylegacyauditpolicy', type: :dword, data: 1 }, + { name: 'DisableDomainCreds', type: :dword, data: 1 }, + { name: 'LimitBlankPasswordUse', type: :dword, data: 1 }, + { name: 'CrashOnAuditFail', type: :dword, data: 0 }, + { name: 'RestrictAnonymousSAM', type: :dword, data: 1 }, + { name: 'RestrictAnonymous', type: :dword, data: 0 }, + { name: 'SubmitControl', type: :dword, data: 0 }, + { name: 'ForceGuest', type: :dword, data: 0 }, + { name: 'EveryoneIncludesAnonymous', type: :dword, data: 0 }, + { name: 'NoLMHash', type: :dword, data: 1 }, + { name: 'LmCompatibilityLevel', type: :dword, data: 5 }] + action :create +end + +# LSA Setting can't be added via registry_key due to hex key bug' +powershell_script 'fullprivilegeauditing' do + code <<-EOH +Set-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Lsa" -Name fullprivilegeauditing -Value 01 +EOH +end + +# This setting prevents online identities from being used by PKU2U, which is a peer-to-peer authentication protocol. Authentication will be centrally managed with Windows user accounts. +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' do + values [{ + name: 'AllowOnlineID', + type: :dword, + data: 0 + }] + action :create +end + +# NTML Hardening +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' do + values [{ name: 'NTLMMinServerSec', type: :dword, data: 537_395_200 }, + { name: 'allownullsessionfallback', type: :dword, data: 0 }, + { name: 'NTLMMinClientSec', type: :dword, data: 537_395_200 }, + { name: 'AuditReceivingNTLMTraffic', type: :dword, data: 2 }] + action :create +end + +# Setting this on breaks test-kitchen - Federal Information Processing Standards. +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' do + values [{ + name: 'Enabled', + type: :dword, + data: 0 + }] + action :create +end + +# RDP Encryption +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' do + values [{ + name: 'MinEncryptionLevel', + type: :dword, + data: 3 + }] + action :create +end + +# Netlogon Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' do + values [{ name: 'MaximumPasswordAge', type: :dword, data: 30 }, + { name: 'DisablePasswordChange', type: :dword, data: 0 }, + { name: 'RefusePasswordChange', type: :dword, data: 0 }, + { name: 'SealSecureChannel', type: :dword, data: 1 }, + { name: 'RequireSignOrSeal', type: :dword, data: 1 }, + { name: 'SignSecureChannel', type: :dword, data: 1 }, + { name: 'RequireStrongKey', type: :dword, data: 1 }, + { name: 'RestrictNTLMInDomain', type: :dword, data: 7 }, + { name: 'AuditNTLMInDomain', type: :dword, data: 7 }] + action :create +end + +# TCPIP 4 Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters' do + values [{ name: 'DisableIPSourceRouting', type: :dword, data: 2 }, + { name: 'TcpMaxDataRetransmissions', type: :dword, data: 3 }] + action :create +end + +# TCPIP 6 Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters' do + values [{ name: 'DisableIPSourceRouting', type: :dword, data: 2 }, + { name: 'TcpMaxDataRetransmissions', type: :dword, data: 3 }] + action :create +end + +# System Policys +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' do + values [{ name: 'ConsentPromptBehaviorUser', type: :dword, data: 0 }, + { name: 'EnableLUA', type: :dword, data: 1 }, + { name: 'MSAOptional', type: :dword, data: 1 }, + { name: 'NoConnectedUser', type: :dword, data: 1 }, + { name: 'PromptOnSecureDesktop', type: :dword, data: 1 }, + { name: 'EnableVirtualization', type: :dword, data: 1 }, + { name: 'EnableUIADesktopToggle', type: :dword, data: 0 }, + { name: 'ConsentPromptBehaviorAdmin', type: :dword, data: 2 }, + { name: 'EnableSecureUIAPaths', type: :dword, data: 1 }, + { name: 'FilterAdministratorToken', type: :dword, data: 1 }, + { name: 'MaxDevicePasswordFailedAttempts', type: :dword, data: 10 }, + { name: 'DontDisplayLastUserName', type: :dword, data: 1 }, + { name: 'DontDisplayLockedUserId', type: :dword, data: 3 }, + { name: 'InactivityTimeoutSecs', type: :dword, data: 900 }, + { name: 'EnableInstallerDetection', type: :dword, data: 1 }, + { name: 'DisableCAD', type: :dword, data: 0 }, + { name: 'ShutdownWithoutLogon', type: :dword, data: 0 }, + { name: 'legalnoticecaption', type: :string, data: 'Legal caption here' }, + { name: 'legalnoticetext', type: :string, data: 'Legal text and harsh warnings etc here.....' }] + action :create +end + +# Lanman Server Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' do + values [{ name: 'enablesecuritysignature', type: :dword, data: 1 }, + { name: 'requiresecuritysignature', type: :dword, data: 1 }, + { name: 'RestrictNullSessAccess', type: :dword, data: 1 }, + { name: 'enableforcedlogoff', type: :dword, data: 1 }, + { name: 'autodisconnect', type: :dword, data: 15 }, + { name: 'SMBServerNameHardeningLevel', type: :dword, data: 0 }] + action :create +end + +# Lanman Workstation Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' do + values [{ name: 'RequireSecuritySignature', type: :dword, data: 1 }, + { name: 'EnableSecuritySignature', type: :dword, data: 1 }, + { name: 'EnablePlainTextPassword', type: :dword, data: 0 }] + action :create +end + +# Lanman Print Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' do + values [{ + name: 'AddPrinterDrivers', + type: :dword, + data: 1 + }] + action :create +end + +# LDAP Client Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' do + values [{ + name: 'LDAPClientIntegrity', + type: :dword, + data: 1 + }] + action :create +end + +# LDAP Server Parameters +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters' do + values [{ + name: 'LDAPServerIntegrity', + type: :dword, + data: 2 + }] + action :create +end + +# Session Manager +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' do + values [{ name: 'ProtectionMode', type: :dword, data: 1 }, + { name: 'SafeDllSearchMode', type: :dword, data: 1 }] + action :create +end + +# EMET Application Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults' do + values [{ name: 'IE', type: :string, data: '*\Internet Explorer\iexplore.exe' }, + { name: '7z', type: :string, data: '*\7-Zip\7z.exe -EAF' }, + { name: '7zFM', type: :string, data: '*\7-Zip\7zFM.exe -EAF' }, + { name: '7zGUI', type: :string, data: '*\7-Zip\7zG.exe -EAF' }, + { name: 'Access', type: :string, data: '*\OFFICE1*\MSACCESS.EXE' }, + { name: 'Acrobat', type: :string, data: '*\Adobe\Acrobat*\Acrobat\Acrobat.exe' }, + { name: 'AcrobatReader', type: :string, data: '*\Adobe\Reader*\Reader\AcroRd32.exe' }, + { name: 'Chrome', type: :string, data: '*\Google\Chrome\Application\chrome.exe -SEHOP' }, + { name: 'Excel', type: :string, data: '*\OFFICE1*\EXCEL.EXE' }, + { name: 'Firefox', type: :string, data: '*\Mozilla Firefox\firefox.exe' }, + { name: 'FirefoxPluginContainer', type: :string, data: '*\Mozilla Firefox\plugin-container.exe' }, + { name: 'FoxitReader', type: :string, data: '*\Foxit Reader\Foxit Reader.exe' }, + { name: 'GoogleTalk', type: :string, data: '*\Google\Google Talk\googletalk.exe -DEP -SEHOP' }, + { name: 'InfoPath', type: :string, data: '*\OFFICE1*\INFOPATH.EXE' }, + { name: 'iTunes', type: :string, data: '*\iTunes\iTunes.exe' }, + { name: 'jre6_java', type: :string, data: '*\Java\jre6\bin\java.exe -HeapSpray' }, + { name: 'jre6_javaw', type: :string, data: '*\Java\jre6\bin\javaw.exe -HeapSpray' }, + { name: 'jre6_javaws', type: :string, data: '*\Java\jre6\bin\javaws.exe -HeapSpray' }, + { name: 'jre7_java', type: :string, data: '*\Java\jre7\bin\java.exe -HeapSpray' }, + { name: 'jre7_javaw', type: :string, data: '*\Java\jre7\bin\javaw.exe -HeapSpray' }, + { name: 'jre7_javaws', type: :string, data: '*\Java\jre7\bin\javaws.exe -HeapSpray' }, + { name: 'jre8_java', type: :string, data: '*\Java\jre1.8*\bin\java.exe -HeapSpray' }, + { name: 'jre8_javaw', type: :string, data: '*\Java\jre1.8*\bin\javaw.exe -HeapSpray' }, + { name: 'jre8_javaws', type: :string, data: '*\Java\jre1.8*\bin\javaws.exe -HeapSpray' }, + { name: 'LiveWriter', type: :string, data: '*\Windows Live\Writer\WindowsLiveWriter.exe' }, + { name: 'Lync', type: :string, data: '*\OFFICE1*\LYNC.EXE' }, + { name: 'LyncCommunicator', type: :string, data: '*\Microsoft Lync\communicator.exe' }, + { name: 'mIRC', type: :string, data: '*\mIRC\mirc.exe' }, + { name: 'Opera', type: :string, data: '*\Opera\opera.exe' }, + { name: 'Outlook', type: :string, data: '*\OFFICE1*\OUTLOOK.EXE' }, + { name: 'PhotoGallery', type: :string, data: '*\Windows Live\Photo Gallery\WLXPhotoGallery.exe' }, + { name: 'Photoshop', type: :string, data: '*\Adobe\Adobe Photoshop CS*\Photoshop.exe' }, + { name: 'Picture Manager', type: :string, data: '*\OFFICE1*\OIS.EXE' }, + { name: 'Pidgin', type: :string, data: '*\Pidgin\pidgin.exe' }, + { name: 'PowerPoint', type: :string, data: '*\OFFICE1*\POWERPNT.EXE' }, + { name: 'PPTViewer', type: :string, data: '*\OFFICE1*\PPTVIEW.EXE' }, + { name: 'Publisher', type: :string, data: '*\OFFICE1*\MSPUB.EXE' }, + { name: 'QuickTimePlayer', type: :string, data: '*\QuickTime\QuickTimePlayer.exe' }, + { name: 'RealConverter', type: :string, data: '*\Real\RealPlayer\realconverter.exe' }, + { name: 'RealPlayer', type: :string, data: '*\Real\RealPlayer\realplay.exe' }, + { name: 'Safari', type: :string, data: '*\Safari\Safari.exe' }, + { name: 'SkyDrive', type: :string, data: '*\SkyDrive\SkyDrive.exe' }, + { name: 'Skype', type: :string, data: '*\Skype\Phone\Skype.exe -EAF' }, + { name: 'Thunderbird', type: :string, data: '*\Mozilla Thunderbird\thunderbird.exe' }, + { name: 'ThunderbirdPluginContainer', type: :string, data: '*\Mozilla Thunderbird\plugin-container.exe' }, + { name: 'UnRAR', type: :string, data: '*\WinRAR\unrar.exe' }, + { name: 'Visio', type: :string, data: '*\OFFICE1*\VISIO.EXE' }, + { name: 'VisioViewer', type: :string, data: '*\OFFICE1*\VPREVIEW.EXE' }, + { name: 'VLC', type: :string, data: '*\VideoLAN\VLC\vlc.exe' }, + { name: 'Winamp', type: :string, data: '*\Winamp\winamp.exe' }, + { name: 'WindowsLiveMail', type: :string, data: '*\Windows Live\Mail\wlmail.exe' }, + { name: 'WindowsMediaPlayer', type: :string, data: '*\Windows Media Player\wmplayer.exe -SEHOP -EAF -MandatoryASLR' }, + { name: 'WinRARConsole', type: :string, data: '*\WinRAR\rar.exe' }, + { name: 'WinRARGUI', type: :string, data: '*\WinRAR\winrar.exe' }, + { name: 'WinZip', type: :string, data: '*\WinZip\winzip32.exe' }, + { name: 'Winzip64', type: :string, data: '*\WinZip\winzip64.exe' }, + { name: 'Word', type: :string, data: '*\OFFICE1*\WINWORD.EXE' }, + { name: 'Wordpad', type: :string, data: '*\Windows NT\Accessories\wordpad.exe' }] + recursive true + action :create +end + +# EMET Sys Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings' do + values [{ name: 'DEP', type: :dword, data: 2 }] + recursive true + action :create +end + +# Session Management Kernal +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' do + values [{ + name: 'ObCaseInsensitive', + type: :dword, + data: 1 + }] + action :create +end + +# WDigest Parameters +registry_key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' do + values [{ + name: 'UseLogonCredential', + type: :dword, + data: 0 + }] + action :create +end + +# Memory Management +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management' do + values [{ + name: 'ClearPageFileAtShutdown', + type: :dword, + data: 0 + }] + action :create +end + +# RecoveryConsole Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole' do + values [{ name: 'setcommand', type: :dword, data: 0 }, + { name: 'securitylevel', type: :dword, data: 0 }] + action :create +end + +# Event Log +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security' do + values [{ + name: 'WarningLevel', + type: :dword, + data: 90 + }] + action :create +end + +# Cryptography Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography' do + values [{ + name: 'ForceKeyProtection', + type: :dword, + data: 2 + }] + action :create +end + +# CodeIdentifiers Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers' do + values [{ + name: 'authenticodeenabled', + type: :dword, + data: 0 + }] + action :create +end + +# AllowedPaths +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' do + values [{ + name: 'Machine', + type: :multi_string, + data: ['System\CurrentControlSet\Control\Print\Printers', + 'System\CurrentControlSet\Services\Eventlog', + 'Software\Microsoft\OLAP Server', + 'Software\Microsoft\Windows NT\CurrentVersion\Print', + 'Software\Microsoft\Windows NT\CurrentVersion\Windows', + 'System\CurrentControlSet\Control\ContentIndex', + 'System\CurrentControlSet\Control\Terminal Server', + 'System\CurrentControlSet\Control\Terminal Server\UserConfig', + 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', + 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', + 'System\CurrentControlSet\Services\SysmonLog'] }] + action :create +end + +# AllowedExactPaths +registry_key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' do + values [{ + name: 'Machine', + type: :multi_string, + data: ['System\CurrentControlSet\Control\ProductOptions', + 'System\CurrentControlSet\Control\Server Applications', + 'Software\Microsoft\Windows NT\CurrentVersion'] }] + action :create +end + +# WinRS Parameters +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS' do + values [{ + name: 'AllowRemoteShellAccess', + type: :dword, + data: 1 + }] + recursive true + action :create +end + +# Search Companion prevented from automatically downloading content updates. # +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' do + values [{ + name: 'DisableContentFileUpdates', + type: :dword, + data: 1 + }] + recursive true + action :create +end + +# SQMC +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' do + values [{ + name: 'CEIPEnable', + type: :dword, + data: 0 + }] + recursive true + action :create +end + +# Disable Microsoft Online Accounts +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount' do + values [{ + name: 'value', + type: :dword, + data: 0 + }] + recursive true + action :create +end + +# Disable Network SelectionUI +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' do + values [{ + name: 'DontDisplayNetworkSelectionUI', + type: :dword, + data: 1 + }] + recursive true + action :create +end + +# UAC Elevation +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer' do + values [{ + name: 'AlwaysInstallElevated', + type: :dword, + data: 0 + }] + recursive true + action :create +end + +# Audit Logs +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application' do + values [{ name: 'MaxSize', type: :dword, data: 327_68 }, + { name: 'Retention', type: :string, data: 0 }] + recursive true + action :create +end +# Audit Logs +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security' do + values [{ name: 'MaxSize', type: :dword, data: 196_608 }, + { name: 'Retention', type: :string, data: 0 }] + recursive true + action :create +end +# Audit Logs +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System' do + values [{ name: 'MaxSize', type: :dword, data: 327_68 }, + { name: 'Retention', type: :string, data: 0 }] + recursive true + action :create +end +# Auto Mount CD Drive +registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' do + values [{ name: 'NoDriveTypeAutoRun', type: :dword, data: 255 }, + { name: 'NoPublishingWizard', type: :dword, data: 1 }] + action :create +end + +# Index of encrypted files +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' do + values [{ + name: 'AllowIndexingEncryptedStoresOrItems', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Personalization Lock screen +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization' do + values [ + { name: 'NoLockScreenSlideshow', type: :dword, data: 1 }, + { name: 'NoLockScreenCamera', type: :dword, data: 1 }] + action :create + recursive true +end + +# Messenger +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client' do + values [{ + name: 'CEIP', + type: :dword, + data: 2 + }] + action :create + recursive true +end + +# Turn off Windows Update device driver searching +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching' do + values [{ + name: 'DontSearchWindowsUpdate', + type: :dword, + data: 1 + }] + action :create + recursive true +end + +# Enable WinRM +registry_key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service' do + values [ + { name: 'AllowAutoConfig', type: :dword, data: 1 }, + { name: 'IPv4Filter', type: :string, data: '*' }] + action :create +end + +# Powershell ScriptBlock Logging +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' do + values [{ + name: 'EnableScriptBlockLogging', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Powershell Transcription +registry_key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' do + values [{ + name: 'EnableTranscripting', + type: :dword, + data: 0 + }] + action :create + recursive true +end + +# Force Windows Update + +directory 'c:/temp' do + action :create +end + +# Local Security Policy +cookbook_file 'c:/temp/CIS_2012r2_L1_localComputer.inf' do + action :create +end + +# Reg Files for save applications +cookbook_file 'c:/temp/CIS_2012r2_L1_audit_settings.csv' do + action :create +end + +# Script to apply settings that can't be down in registry' +powershell_script 'import' do + cwd 'c:/temp' + code <<-EOH + secedit /import /db secedit.sdb /cfg CIS_2012r2_L1_localComputer.inf + secedit /configure /db secedit.sdb + auditpol /restore /File:CIS_2012r2_L1_audit_settings.csv + gpupdate /force + del "CIS_2012r2_L1_localComputer.inf" -force -ErrorAction SilentlyContinue + del "secedit.sdb" -force -ErrorAction SilentlyContinue + del "CIS_2012r2_L1_audit_settings.csv" -force -ErrorAction SilentlyContinue + EOH +end diff --git a/test/integration/default/default_spec.rb b/test/integration/default/default_spec.rb new file mode 100644 index 0000000..dcecf90 --- /dev/null +++ b/test/integration/default/default_spec.rb @@ -0,0 +1,406 @@ +# encoding: utf-8 + +# Inspec test for CIS_2012r2_L1 +# +# Copyright (c) 2017 Matt Tunny, All Rights Reserved. +# +# The Inspec reference, with examples and extensive documentation, can be +# found at http://inspec.io/docs/reference/resources/ + +# WinLogon Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon') do + its('PasswordExpiryWarning') { should eq 14 } + its('ScreenSaverGracePeriod') { should eq '5' } + its('AllocateDASD') { should eq '0' } + its('ScRemoveOption') { should eq '1' } + its('CachedLogonsCount') { should eq '4' } +end + +# LSA tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa') do + its('FullPrivilegeAuditing') { should eq [01] } + its('AuditBaseObjects') { should eq 1 } + its('scenoapplylegacyauditpolicy') { should eq 1 } + its('DisableDomainCreds') { should eq 1 } + its('LimitBlankPasswordUse') { should eq 1 } + its('CrashOnAuditFail') { should eq 0 } + its('RestrictAnonymousSAM') { should eq 1 } + its('RestrictAnonymous') { should eq 0 } + its('SubmitControl') { should eq 0 } + its('ForceGuest') { should eq 0 } + its('EveryoneIncludesAnonymous') { should eq 0 } + its('NoLMHash') { should eq 1 } + its('LmCompatibilityLevel') { should eq 5 } +end + +# LSA Pku2 tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u') do + its('AllowOnlineID') { should eq 0 } +end + +# LSA MSV1_0 Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0') do + its('NTLMMinServerSec') { should eq 537_395_200 } + its('allownullsessionfallback') { should eq 0 } + its('NTLMMinClientSec') { should eq 537_395_200 } + its('AuditReceivingNTLMTraffic') { should eq 2 } +end + +# NTLM Test +# describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0') do +# its('RestrictReceivingNTLMTraffic') { should eq 2 } +# its('RestrictSendingNTLMTraffic') { should eq 2 } +# end + +# FIPS FIPSAlgorithmPolicy Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy') do + its('Enabled') { should eq 0 } +end + +# Netlogon Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters') do + its('MaximumPasswordAge') { should eq 30 } + its('DisablePasswordChange') { should eq 0 } + its('RefusePasswordChange') { should eq 0 } + its('SealSecureChannel') { should eq 1 } + its('RequireSignOrSeal') { should eq 1 } + its('SignSecureChannel') { should eq 1 } + its('RequireStrongKey') { should eq 1 } + its('RestrictNTLMInDomain') { should eq 7 } + its('AuditNTLMInDomain') { should eq 7 } +end + +# TCPIP v4 Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters') do + its('DisableIPSourceRouting') { should eq 2 } + its('TcpMaxDataRetransmissions') { should eq 3 } +end + +# TCPIP v6 Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters') do + its('DisableIPSourceRouting') { should eq 2 } + its('TcpMaxDataRetransmissions') { should eq 3 } +end + +# Windows System Policies Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System') do + its('ConsentPromptBehaviorUser') { should eq 0 } + its('EnableLUA') { should eq 1 } + its('PromptOnSecureDesktop') { should eq 1 } + its('EnableVirtualization') { should eq 1 } + its('EnableUIADesktopToggle') { should eq 0 } + its('ConsentPromptBehaviorAdmin') { should eq 2 } + # its('LocalAccountTokenFilterPolicy') { should eq 0 } Removed due to breaking Test-Kitchen + its('EnableSecureUIAPaths') { should eq 1 } + its('FilterAdministratorToken') { should eq 1 } + its('MaxDevicePasswordFailedAttempts') { should eq 10 } + its('DontDisplayLastUserName') { should eq 1 } + its('DontDisplayLockedUserId') { should eq 3 } + its('InactivityTimeoutSecs') { should eq 900 } + its('EnableInstallerDetection') { should eq 1 } + its('DisableCAD') { should eq 0 } + its('ShutdownWithoutLogon') { should eq 0 } + its('legalnoticecaption') { should eq 'Legal caption here' } + its('legalnoticetext') do + should eq 'Legal text and harsh warnings etc here.....' + end +end + +# LanMan Server Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters') do + its('enablesecuritysignature') { should eq 1 } + its('requiresecuritysignature') { should eq 1 } + its('RestrictNullSessAccess') { should eq 1 } + its('enableforcedlogoff') { should eq 1 } + its('autodisconnect') { should eq 15 } + its('SMBServerNameHardeningLevel') { should eq 0 } +end + +# Lanman Workstations Tests +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters') do + its('RequireSecuritySignature') { should eq 1 } + its('EnableSecuritySignature') { should eq 1 } + its('EnablePlainTextPassword') { should eq 0 } +end + +# LDAP Client Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP') do + its('LDAPClientIntegrity') { should eq 1 } +end + +# LDAP Server Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters') do + its('LDAPServerIntegrity') { should eq 2 } +end + +# Session Manager Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager') do + its('ProtectionMode') { should eq 1 } + its('SafeDllSearchMode') { should eq 1 } +end + +# EMET (IE)Parameters Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults') do + its('IE') { should eq '*\Internet Explorer\iexplore.exe' } + its('7z') { should eq '*\7-Zip\7z.exe -EAF' } + its('7zFM') { should eq '*\7-Zip\7zFM.exe -EAF' } + its('7zGUI') { should eq '*\7-Zip\7zG.exe -EAF' } + its('Access') { should eq '*\OFFICE1*\MSACCESS.EXE' } + its('Acrobat') { should eq '*\Adobe\Acrobat*\Acrobat\Acrobat.exe' } + its('AcrobatReader') { should eq '*\Adobe\Reader*\Reader\AcroRd32.exe' } + its('Chrome') { should eq '*\Google\Chrome\Application\chrome.exe -SEHOP' } + its('Excel') { should eq '*\OFFICE1*\EXCEL.EXE' } + its('Firefox') { should eq '*\Mozilla Firefox\firefox.exe' } + its('FirefoxPluginContainer') { should eq '*\Mozilla Firefox\plugin-container.exe' } + its('FoxitReader') { should eq '*\Foxit Reader\Foxit Reader.exe' } + its('GoogleTalk') { should eq '*\Google\Google Talk\googletalk.exe -DEP -SEHOP' } + its('InfoPath') { should eq '*\OFFICE1*\INFOPATH.EXE' } + its('iTunes') { should eq '*\iTunes\iTunes.exe' } + its('jre6_java') { should eq '*\Java\jre6\bin\java.exe -HeapSpray' } + its('jre6_javaw') { should eq '*\Java\jre6\bin\javaw.exe -HeapSpray' } + its('jre6_javaws') { should eq '*\Java\jre6\bin\javaws.exe -HeapSpray' } + its('jre7_java') { should eq '*\Java\jre7\bin\java.exe -HeapSpray' } + its('jre7_javaw') { should eq '*\Java\jre7\bin\javaw.exe -HeapSpray' } + its('jre7_javaws') { should eq '*\Java\jre7\bin\javaws.exe -HeapSpray' } + its('jre8_java') { should eq '*\Java\jre1.8*\bin\java.exe -HeapSpray' } + its('jre8_javaw') { should eq '*\Java\jre1.8*\bin\javaw.exe -HeapSpray' } + its('jre8_javaws') { should eq '*\Java\jre1.8*\bin\javaws.exe -HeapSpray' } + its('LiveWriter') { should eq '*\Windows Live\Writer\WindowsLiveWriter.exe' } + its('Lync') { should eq '*\OFFICE1*\LYNC.EXE' } + its('LyncCommunicator') { should eq '*\Microsoft Lync\communicator.exe' } + its('mIRC') { should eq '*\mIRC\mirc.exe' } + its('Opera') { should eq '*\Opera\opera.exe' } + its('Outlook') { should eq '*\OFFICE1*\OUTLOOK.EXE' } + its('PhotoGallery') { should eq '*\Windows Live\Photo Gallery\WLXPhotoGallery.exe' } + its('Photoshop') { should eq '*\Adobe\Adobe Photoshop CS*\Photoshop.exe' } + its('Picture Manager') { should eq '*\OFFICE1*\OIS.EXE' } + its('Pidgin') { should eq '*\Pidgin\pidgin.exe' } + its('PowerPoint') { should eq '*\OFFICE1*\POWERPNT.EXE' } + its('PPTViewer') { should eq '*\OFFICE1*\PPTVIEW.EXE' } + its('Publisher') { should eq '*\OFFICE1*\MSPUB.EXE' } + its('QuickTimePlayer') { should eq '*\QuickTime\QuickTimePlayer.exe' } + its('RealConverter') { should eq '*\Real\RealPlayer\realconverter.exe' } + its('RealPlayer') { should eq '*\Real\RealPlayer\realplay.exe' } + its('Safari') { should eq '*\Safari\Safari.exe' } + its('SkyDrive') { should eq '*\SkyDrive\SkyDrive.exe' } + its('Skype') { should eq '*\Skype\Phone\Skype.exe -EAF' } + its('Thunderbird') { should eq '*\Mozilla Thunderbird\thunderbird.exe' } + its('ThunderbirdPluginContainer') { should eq '*\Mozilla Thunderbird\plugin-container.exe' } + its('UnRAR') { should eq '*\WinRAR\unrar.exe' } + its('Visio') { should eq '*\OFFICE1*\VISIO.EXE' } + its('VisioViewer') { should eq '*\OFFICE1*\VPREVIEW.EXE' } + its('VLC') { should eq '*\VideoLAN\VLC\vlc.exe' } + its('Winamp') { should eq '*\Winamp\winamp.exe' } + its('WindowsLiveMail') { should eq '*\Windows Live\Mail\wlmail.exe' } + its('WindowsMediaPlayer') { should eq '*\Windows Media Player\wmplayer.exe -SEHOP -EAF -MandatoryASLR' } + its('WinRARConsole') { should eq '*\WinRAR\rar.exe' } + its('WinRARGUI') { should eq '*\WinRAR\winrar.exe' } + its('WinZip') { should eq '*\WinZip\winzip32.exe' } + its('Winzip64') { should eq '*\WinZip\winzip64.exe' } + its('Word') { should eq '*\OFFICE1*\WINWORD.EXE' } + its('Wordpad') { should eq '*\Windows NT\Accessories\wordpad.exe' } +end + +# EMET (IE)Parameters Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings') do + its('DEP') { should eq 2 } +end + +# Session Management Kernal Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel') do + its('ObCaseInsensitive') { should eq 1 } +end + +# WDigest Parameters Test +describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest') do + its('UseLogonCredential') { should eq 0 } +end + +# Memory Management Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management') do + its('ClearPageFileAtShutdown') { should eq 0 } +end + +# RecoveryConsole Parameters Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole') do + its('setcommand') { should eq 0 } + its('securitylevel') { should eq 0 } +end + +# Event Log Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security') do + its('WarningLevel') { should eq 90 } +end + +# Cryptography Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography') do + its('ForceKeyProtection') { should eq 2 } +end + +# Lanman Print Drivers Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers') do + its('AddPrinterDrivers') { should eq 1 } +end + +# CodeIdentifiers Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers') do + its('authenticodeenabled') { should eq 0 } +end + +# rubocop:disable all +# AllowedPaths Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths') do + its('Machine') { should include /(System\\CurrentControlSet\\Control\\Print\\Printers)/ } +end + +# AllowedExactPaths Test +describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths') do + its('Machine') { should include /(System\\CurrentControlSet\\Control\\ProductOptions)/ } +end + +# rubocop:enable all +# WinRS Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS') do + its('AllowRemoteShellAccess') { should eq 1 } +end + +# Search Companion prevented from automatically downloading content updates. +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion') do + its('DisableContentFileUpdates') { should eq 1 } +end + +# SQMC Test +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows') do + its('CEIPEnable') { should eq 0 } +end + +# Disable Microsoft Online Accounts Test +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount') do + its('value') { should eq 0 } +end + +# Disable Network SelectionUI Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System') do + its('DontDisplayNetworkSelectionUI') { should eq 1 } +end + +# UAC Elevation TesT +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer') do + its('AlwaysInstallElevated') { should eq 0 } +end + +# Audit Application Log Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application') do + its('MaxSize') { should eq 327_68 } + its('Retention') { should eq '0' } +end + +# Audit Security Log Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security') do + its('MaxSize') { should eq 196_608 } + its('Retention') { should eq '0' } +end + +# Audit EventLog Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System') do + its('MaxSize') { should eq 327_68 } + its('Retention') { should eq '0' } +end + +# Auto Mount CD Drive Tests +describe registry_key('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer') do + its('NoDriveTypeAutoRun') { should eq 255 } + its('NoPublishingWizard') { should eq 1 } +end + +# RDP encryption Test +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services') do + its('MinEncryptionLevel') { should eq 3 } +end + +# Index of Encryption Files Test +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search') do + its('AllowIndexingEncryptedStoresOrItems') { should eq 0 } +end + +# Personalization Lock screen Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization') do + its('NoLockScreenSlideshow') { should eq 1 } + its('NoLockScreenCamera') { should eq 1 } +end + +# Personalization Lock screen Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client') do + its('CEIP') { should eq 2 } +end + +# Turn off Windows Update device driver searching Test +describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching') do + its('DontSearchWindowsUpdate') { should eq 1 } +end + +# PowerShell Settings +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging') do + its('EnableScriptBlockLogging') { should eq 0 } +end +describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription') do + its('EnableTranscripting') { should eq 0 } +end + +# Local Policy Script +script = <<-EOH +secedit /export /cfg c:\\temp\\tempexport.inf /quiet +Get-content C:\\temp\\tempexport.inf | findstr /B ` +/C:"MinimumPasswordAge = 1" ` +/C:"MaximumPasswordAge = 42" ` +/C:"MinimumPasswordLength = 14" ` +/C:"PasswordComplexity = 1" ` +/C:"PasswordHistorySize = 24" ` +/C:"LockoutBadCount = 10" ` +/C:"ResetLockoutCount = 15" ` +/C:"LockoutDuration = 15" ` +/C:"SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544" ` +/C:"SeServiceLogonRight = *S-1-5-80-0" ` +/C:"SeInteractiveLogonRight = *S-1-5-32-544" ` +/C:"SeSecurityPrivilege = *S-1-5-32-544" ` +/C:"SeSystemEnvironmentPrivilege = *S-1-5-32-544" ` +/C:"SeProfileSingleProcessPrivilege = *S-1-5-32-544" ` +/C:"SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20" ` +/C:"SeRestorePrivilege = *S-1-5-32-544" ` +/C:"SeShutdownPrivilege = *S-1-5-32-544" ` +/C:"SeTakeOwnershipPrivilege = *S-1-5-32-544" ` +/C:"SeDenyNetworkLogonRight = *S-1-5-32-546" ` +/C:"SeDenyBatchLogonRight = *S-1-5-32-546" ` +/C:"SeDenyServiceLogonRight = *S-1-5-32-546" ` +/C:"SeDenyInteractiveLogonRight = *S-1-5-32-546" +del "C:\\temp\\tempexport.inf" -force -ErrorAction SilentlyContinue +EOH + +# Local Policy Tester +describe powershell(script) do + its('stdout') do + should eq "MinimumPasswordAge = 1\r +MaximumPasswordAge = 42\r +MinimumPasswordLength = 14\r +PasswordComplexity = 1\r +PasswordHistorySize = 24\r +LockoutBadCount = 10\r +ResetLockoutCount = 15\r +LockoutDuration = 15\r +SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544\r +SeServiceLogonRight = *S-1-5-80-0\r +SeInteractiveLogonRight = *S-1-5-32-544\r +SeSecurityPrivilege = *S-1-5-32-544\r +SeSystemEnvironmentPrivilege = *S-1-5-32-544\r +SeProfileSingleProcessPrivilege = *S-1-5-32-544\r +SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20\r +SeRestorePrivilege = *S-1-5-32-544\r +SeShutdownPrivilege = *S-1-5-32-544\r +SeTakeOwnershipPrivilege = *S-1-5-32-544\r +SeDenyNetworkLogonRight = *S-1-5-32-546\r +SeDenyBatchLogonRight = *S-1-5-32-546\r +SeDenyServiceLogonRight = *S-1-5-32-546\r +SeDenyInteractiveLogonRight = *S-1-5-32-546\r\n" + end + its('stderr') { should eq '' } +end diff --git a/test/integration/default/serverspec/default_spec.rb b/test/integration/default/serverspec/default_spec.rb deleted file mode 100644 index 6fdb298..0000000 --- a/test/integration/default/serverspec/default_spec.rb +++ /dev/null @@ -1,9 +0,0 @@ -require 'spec_helper' - -describe 'base-win2012-hardening::default' do - # Serverspec examples can be found at - # http://serverspec.org/resource_types.html - it 'does something' do - skip 'Replace this with meaningful tests' - end -end