1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
#
# Author:: Ashwini Nehate (<anehate@chef.io>)
# Author:: Davin Taddeo (<davin@chef.io>)
# Author:: Jeff Brimager (<jbrimager@chef.io>)
# Copyright:: Copyright (c) Chef Software Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require_relative "../resource"
class Chef
class Resource
class WindowsSecurityPolicy < Chef::Resource
unified_mode true
provides :windows_security_policy
# The valid policy_names options found here
# https://github.com/ChrisAWalker/cSecurityOptions under 'AccountSettings'
policy_names = %w{LockoutDuration
MaximumPasswordAge
MinimumPasswordAge
MinimumPasswordLength
PasswordComplexity
PasswordHistorySize
LockoutBadCount
ResetLockoutCount
RequireLogonToChangePassword
ForceLogoffWhenHourExpire
NewAdministratorName
NewGuestName
ClearTextPassword
LSAAnonymousNameLookup
EnableAdminAccount
EnableGuestAccount
}
description "Use the **windows_security_policy** resource to set a security policy on the Microsoft Windows platform."
introduced "16.0"
examples <<~DOC
**Set Administrator Account to Enabled**:
```ruby
windows_security_policy 'EnableAdminAccount' do
secvalue '1'
action :set
end
```
**Rename Administrator Account**:
```ruby
windows_security_policy 'NewAdministratorName' do
secvalue 'AwesomeChefGuy'
action :set
end
```
**Set Guest Account to Disabled**:
```ruby
windows_security_policy 'EnableGuestAccount' do
secvalue '0'
action :set
end
```
DOC
property :secoption, String, name_property: true, required: true, equal_to: policy_names,
description: "The name of the policy to be set on windows platform to maintain its security."
property :secvalue, String, required: true,
description: "Policy value to be set for policy name."
load_current_value do |desired|
powershell_code = <<-CODE
C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\secopts_export.inf | Out-Null
# cspell:disable-next-line
$security_options_data = (Get-Content $env:TEMP\\secopts_export.inf | Select-String -Pattern "^[CEFLMNPR].* =.*$" | Out-String)
Remove-Item $env:TEMP\\secopts_export.inf -force
$security_options_hash = ($security_options_data -Replace '"'| ConvertFrom-StringData)
([PSCustomObject]@{
RequireLogonToChangePassword = $security_options_hash.RequireLogonToChangePassword
PasswordComplexity = $security_options_hash.PasswordComplexity
LSAAnonymousNameLookup = $security_options_hash.LSAAnonymousNameLookup
EnableAdminAccount = $security_options_hash.EnableAdminAccount
PasswordHistorySize = $security_options_hash.PasswordHistorySize
MinimumPasswordLength = $security_options_hash.MinimumPasswordLength
ResetLockoutCount = $security_options_hash.ResetLockoutCount
MaximumPasswordAge = $security_options_hash.MaximumPasswordAge
ClearTextPassword = $security_options_hash.ClearTextPassword
NewAdministratorName = $security_options_hash.NewAdministratorName
LockoutDuration = $security_options_hash.LockoutDuration
EnableGuestAccount = $security_options_hash.EnableGuestAccount
ForceLogoffWhenHourExpire = $security_options_hash.ForceLogoffWhenHourExpire
MinimumPasswordAge = $security_options_hash.MinimumPasswordAge
NewGuestName = $security_options_hash.NewGuestName
LockoutBadCount = $security_options_hash.LockoutBadCount
}) | ConvertTo-Json
CODE
output = powershell_out(powershell_code)
current_value_does_not_exist! if output.stdout.empty?
state = Chef::JSONCompat.from_json(output.stdout)
if desired.secoption == "ResetLockoutCount" || desired.secoption == "LockoutDuration"
if state["LockoutBadCount"] == "0"
raise Chef::Exceptions::ValidationFailed.new "#{desired.secoption} cannot be set unless the \"LockoutBadCount\" security policy has been set to a non-zero value"
else
secvalue state[desired.secoption.to_s]
end
else
secvalue state[desired.secoption.to_s]
end
end
action :set do
converge_if_changed :secvalue do
security_option = new_resource.secoption
security_value = new_resource.secvalue
cmd = <<-EOH
$security_option = "#{security_option}"
C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") )
{
$#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf
C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY
}
else
{
$#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace "#{security_option}\\s*=\\s*\\d*", "#{security_option} = #{security_value}" } | Set-Content $env:TEMP\\#{security_option}_Export.inf
C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY
}
Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
EOH
powershell_out!(cmd)
end
end
end
end
end
|