-
Notifications
You must be signed in to change notification settings - Fork 115
WindowsServer
Eric Jenkins edited this page Dec 6, 2023
·
7 revisions
A composite DSC resource to manage the Windows Server STIG settings
None
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
OsVersion | True | String | The version of the server operating system STIG to apply and monitor | 2012R2,2016 |
OsRole | True | String | The role of the server operating system STIG to apply and monitor. This value further filters the OsVersion to select the exact STIG to apply | DC,MS |
StigVersion | False | Version | Uses the OsVersion and OsRole to select the version of the STIG to apply and monitor. If this parameter is not provided, the most recent version of the STIG is automatically selected. | 2.12,2.13 |
ForestName | False | String | A string that sets the forest name for items such as security group. The input should be the FQDN of the forest. If this is omitted the forest name of the computer that generates the configuration will be used. | |
DomainName | False | String | A string that sets the domain name for items such as security group. The input should be the FQDN of the domain. If this is omitted the domain name of the computer that generates the configuration will be used. | |
Exception | False | PSObject | A hashtable of @{StigId = @{Property = 'Value'}} that is injected into the STIG data and applied to the target node. | |
OrgSettings | False | PSObject | The path to the xml file that contains the local organizations preferred settings for STIG items that have allowable ranges. | |
SkipRule | False | PSObject | The SkipRule Node is injected into the STIG data and applied to the taget node. The title of STIG settings are tagged with the text 'Skip' to identify the skips to policy across the data center when you centralize DSC log collection. | |
SkipRuleType | False | PSObject | All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule function. Each rule follows the same process as the SkipRule parameter. |
<#
Use the embedded STIG data with default range values to apply the most recent STIG settings.
In this example, the composite resource gets the highest 2012 R2 member server STIG version
file it can find locally and applies it to the server. The composite resource merges in the
default values for any settings that have a valid range.
#>
configuration Example
{
param
(
[parameter()]
[string]
$NodeName = 'localhost'
)
Import-DscResource -ModuleName PowerStig
Node $NodeName
{
WindowsServer BaseLine
{
OsVersion = '2012R2'
OsRole = 'MS'
StigVersion = '2.12'
DomainName = 'sample.test'
ForestName = 'sample.test'
}
}
}
Example
<#
Use embedded STIG data and inject exception data.
In this example, the Windows Server 2012R2 V2 R8 domain controller STIG is
processed by the composite resource and merges in the default values for any
settings that have a valid range. Additionally, an exception is added inline
to the configuration, so that the setting in STIG ID V-1075 would be over
written with the value 1.
#>
configuration Example
{
param
(
[parameter()]
[string]
$NodeName = 'localhost'
)
Import-DscResource -ModuleName PowerStig
Node $NodeName
{
WindowsServer BaseLine
{
OsVersion = '2012R2'
OsRole = 'MS'
StigVersion = '2.12'
DomainName = 'sample.test'
ForestName = 'sample.test'
Exception = @{'V-1075'= @{'ValueData'='1'} }
}
}
}
Example
<#
Provide an ovverride for the default or blank values in the organizational settings file
#>
configuration Example
{
param
(
[parameter()]
[string]
$NodeName = 'localhost'
)
Import-DscResource -ModuleName PowerStig
Node $NodeName
{
WindowsServer BaseLine
{
OsVersion = '2012R2'
OsRole = 'MS'
StigVersion = '2.12'
DomainName = 'sample.test'
ForestName = 'sample.test'
OrgSettings = @{
'V-205909' = @{
OptionValue = 'xAdmin'
}
'V-205910' = @{
OptionValue = 'Disabled_Guest'
}
}
}
}
}
Example
Apply the Windows Server STIG to a node, but override the default organizational settings with a local file
<#
Provide an organizational range xml file to merge into the main STIG settings.
In this example, the Windows Server 2012R2 member server STIG is processed
by the composite resource. Instead of merging in the default values for any settings
that have a valid range, the organization has provided a list of values to merge
into the valid ranges.
#>
# Creates a sample Organizational Settings file for the example to use.
function New-OrgSettingXmlFile
{
@"
<?xml version="1.0"?>
<!-- The organizational settings file is used to define the local organizations preferred setting within an allowed range of the STIG. Each setting in this file is linked by STIG ID and the valid range is in an associated comment. -->
<OrganizationalSettings version="2.12">
<!-- Ensure 'V-1090' -le '4'-->
<OrganizationalSetting value="3" id="V-1090"/>
<!-- Ensure ''V-1097'' -le '3' -and ''V-1097'' -ne '0'-->
<OrganizationalSetting value="2" id="V-1097"/>
<!-- Ensure ''V-1098'' -ge '15'-->
<OrganizationalSetting value="16" id="V-1098"/>
</OrganizationalSettings>
"@ | Out-File -FilePath "$PSScriptRoot\orgsettings.xml"
}
configuration Example
{
param
(
[parameter()]
[string]
$NodeName = 'localhost'
)
Import-DscResource -ModuleName PowerStig
Node $NodeName
{
WindowsServer BaseLine
{
OsVersion = '2012R2'
OsRole = 'MS'
StigVersion = '2.12'
DomainName = 'sample.test'
ForestName = 'sample.test'
OrgSettings = "$PSScriptRoot\orgsettings.xml"
}
}
}
New-OrgSettingXmlFile
Example
<#
Use embedded STIG data and inject a skipped rule. In this example,
the Windows Server 2012R2 V2 R8 domain controller STIG is processed
by the composite resource and merges in the default values for any
settings that have a valid range. Additionally, a skip is added
inline to the configuration, so that the setting in STIG ID V-1075
would be marked to skip configuration when applied.
#>
configuration Example
{
param
(
[parameter()]
[string]
$NodeName = 'localhost'
)
Import-DscResource -ModuleName PowerStig
Node $NodeName
{
WindowsServer BaseLine
{
OsVersion = '2012R2'
OsRole = 'DC'
StigVersion = '2.12'
DomainName = 'sample.test'
ForestName = 'sample.test'
SkipRule = 'V-1075'
}
}
}
Example
<#
Use embedded STIG data and skip an entire rule set. In this example,
the Windows Server 2012R2 V2 R8 domain controller STIG is processed by
the composite resource and merges in the default values for any settings
that have a valid range. Additionally, a skip is added inline to the
configuration, so that the setting for all STIG ID's with the type
'AuditPolicyRule' would be marked to skip configuration when applied.
#>
configuration Example
{
param
(
[parameter()]
[string]
$NodeName = 'localhost'
)
Import-DscResource -ModuleName PowerStig
Node $NodeName
{
WindowsServer BaseLine
{
OsVersion = '2012R2'
OsRole = 'DC'
StigVersion = '2.12'
DomainName = 'sample.test'
ForestName = 'sample.test'
SkipRuleType = 'AuditPolicyRule'
}
}
}
Example