Created
June 26, 2018 05:58
-
-
Save lukemurraynz/70d465d069eccda9c2f6bbb25d7b9870 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -Version 4.0 | |
| <# | |
| Author: Luke Murray (Luke.Geek.NZ) | |
| Version: 0.1 | |
| Purpose: Windows 10 Baseline Hardening using DSC per DoD DISA STIG recommendations 22/06/18. | |
| #> | |
| Configuration 'Win10' | |
| { | |
| Import-DscResource -ModuleName PSDesiredStateConfiguration | |
| Node localhost | |
| { | |
| Registry 'EnhancedAntiSpoofing' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures' | |
| ValueName = 'EnhancedAntiSpoofing' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'EccCurves' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' | |
| ValueName = 'EccCurves' | |
| ValueType = 'MultiString' | |
| ValueData = 'System.String[]' | |
| } | |
| Registry 'DisableEnclosureDownload' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds' | |
| ValueName = 'DisableEnclosureDownload' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'FormSuggest Passwords' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main' | |
| ValueName = 'FormSuggest Passwords' | |
| ValueType = 'String' | |
| ValueData = 'no' | |
| } | |
| Registry 'AllowInPrivate' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main' | |
| ValueName = 'AllowInPrivate' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'PreventOverride' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter' | |
| ValueName = 'PreventOverride' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'PreventOverrideAppRepUnknown' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter' | |
| ValueName = 'PreventOverrideAppRepUnknown' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'EnabledV9' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter' | |
| ValueName = 'EnabledV9' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'ClearBrowsingHistoryOnExit' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Privacy' | |
| ValueName = 'ClearBrowsingHistoryOnExit' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'TPM12' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\ExcludeSecurityDevices' | |
| ValueName = 'TPM12' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'MinimumPINLength' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity' | |
| ValueName = 'MinimumPINLength' | |
| ValueType = 'DWord' | |
| ValueData = '6' | |
| } | |
| Registry 'RequireSecurityDevice' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork' | |
| ValueName = 'RequireSecurityDevice' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'DCSettingIndex' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' | |
| ValueName = 'DCSettingIndex' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'ACSettingIndex' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' | |
| ValueName = 'ACSettingIndex' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'DisableInventory' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat' | |
| ValueName = 'DisableInventory' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'DisableWindowsConsumerFeatures' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CloudContent' | |
| ValueName = 'DisableWindowsConsumerFeatures' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'AllowProtectedCreds' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation' | |
| ValueName = 'AllowProtectedCreds' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'AllowTelemetry' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection' | |
| ValueName = 'AllowTelemetry' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'DODownloadMode' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization' | |
| ValueName = 'DODownloadMode' | |
| ValueType = 'DWord' | |
| ValueData = '2' | |
| } | |
| Registry 'HypervisorEnforcedCodeIntegrity' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
| ValueName = 'HypervisorEnforcedCodeIntegrity' | |
| ValueType = 'DWord' | |
| ValueData = '2' | |
| } | |
| Registry 'EnableVirtualizationBasedSecurity' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
| ValueName = 'EnableVirtualizationBasedSecurity' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'HVCIMATRequired' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
| ValueName = 'HVCIMATRequired' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'LsaCfgFlags' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
| ValueName = 'LsaCfgFlags' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'RequirePlatformSecurityFeatures' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard' | |
| ValueName = 'RequirePlatformSecurityFeatures' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'MaxSize' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application' | |
| ValueName = 'MaxSize' | |
| ValueType = 'DWord' | |
| ValueData = '32768' | |
| } | |
| Registry 'MaxSize1' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security' | |
| ValueName = 'MaxSize' | |
| ValueType = 'DWord' | |
| ValueData = '1024000' | |
| } | |
| Registry 'MaxSize2' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System' | |
| ValueName = 'MaxSize' | |
| ValueType = 'DWord' | |
| ValueData = '32768' | |
| } | |
| Registry 'NoAutoplayfornonVolume' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer' | |
| ValueName = 'NoAutoplayfornonVolume' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'AllowGameDVR' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameDVR' | |
| ValueName = 'AllowGameDVR' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'NoBackgroundPolicy' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' | |
| ValueName = 'NoBackgroundPolicy' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'NoGPOListChanges' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' | |
| ValueName = 'NoGPOListChanges' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'EnableUserControl' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer' | |
| ValueName = 'EnableUserControl' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'AlwaysInstallElevated' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer' | |
| ValueName = 'AlwaysInstallElevated' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'AllowInsecureGuestAuth' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation' | |
| ValueName = 'AllowInsecureGuestAuth' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'NC_ShowSharedAccessUI' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections' | |
| ValueName = 'NC_ShowSharedAccessUI' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry '\\*\NETLOGON' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' | |
| ValueName = '\\*\NETLOGON' | |
| ValueType = 'String' | |
| ValueData = 'RequireMutualAuthentication=1,RequireIntegrity=1' | |
| } | |
| Registry '\\*\SYSVOL' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' | |
| ValueName = '\\*\SYSVOL' | |
| ValueType = 'String' | |
| ValueData = 'RequireMutualAuthentication=1,RequireIntegrity=1' | |
| } | |
| Registry 'DisableFileSyncNGSC' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive' | |
| ValueName = 'DisableFileSyncNGSC' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'NoLockScreenCamera' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization' | |
| ValueName = 'NoLockScreenCamera' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'NoLockScreenSlideshow' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization' | |
| ValueName = 'NoLockScreenSlideshow' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'EnableScriptBlockLogging' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' | |
| ValueName = 'EnableScriptBlockLogging' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'ShellSmartScreenLevel' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' | |
| ValueName = 'ShellSmartScreenLevel' | |
| ValueType = 'String' | |
| ValueData = 'Block' | |
| } | |
| Registry 'DontDisplayNetworkSelectionUI' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' | |
| ValueName = 'DontDisplayNetworkSelectionUI' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'EnumerateLocalUsers' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' | |
| ValueName = 'EnumerateLocalUsers' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'EnableSmartScreen' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System' | |
| ValueName = 'EnableSmartScreen' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'fBlockNonDomain' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' | |
| ValueName = 'fBlockNonDomain' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'AllowIndexingEncryptedStoresOrItems' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search' | |
| ValueName = 'AllowIndexingEncryptedStoresOrItems' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'AllowBasic' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client' | |
| ValueName = 'AllowBasic' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'AllowDigest' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client' | |
| ValueName = 'AllowDigest' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'AllowUnencryptedTraffic' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client' | |
| ValueName = 'AllowUnencryptedTraffic' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'AllowBasic1' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service' | |
| ValueName = 'AllowBasic' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'DisableRunAs' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service' | |
| ValueName = 'DisableRunAs' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'AllowUnencryptedTraffic1' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service' | |
| ValueName = 'AllowUnencryptedTraffic' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'DisableHTTPPrinting' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers' | |
| ValueName = 'DisableHTTPPrinting' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'DisableWebPnPDownload' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers' | |
| ValueName = 'DisableWebPnPDownload' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'RestrictRemoteClients' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc' | |
| ValueName = 'RestrictRemoteClients' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'fAllowFullControl' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'fAllowFullControl' | |
| ValueType = 'String' | |
| ValueData = ' ' | |
| } | |
| Registry 'MaxTicketExpiryUnits' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'MaxTicketExpiryUnits' | |
| ValueType = 'String' | |
| ValueData = ' ' | |
| } | |
| Registry 'fAllowToGetHelp' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'fAllowToGetHelp' | |
| ValueType = 'DWord' | |
| ValueData = '0' | |
| } | |
| Registry 'fUseMailto' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'fUseMailto' | |
| ValueType = 'String' | |
| ValueData = ' ' | |
| } | |
| Registry 'MaxTicketExpiry' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'MaxTicketExpiry' | |
| ValueType = 'String' | |
| ValueData = ' ' | |
| } | |
| Registry 'MinEncryptionLevel' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'MinEncryptionLevel' | |
| ValueType = 'DWord' | |
| ValueData = '3' | |
| } | |
| Registry 'DisablePasswordSaving' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'DisablePasswordSaving' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'fEncryptRPCTraffic' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'fEncryptRPCTraffic' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'fDisableCdm' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'fDisableCdm' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| Registry 'fPromptForPassword' { | |
| Ensure = 'Present' | |
| Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services' | |
| ValueName = 'fPromptForPassword' | |
| ValueType = 'DWord' | |
| ValueData = '1' | |
| } | |
| } | |
| } | |
| Win10 | |
| #Start-DscConfiguration -Path ./Win10 -Wait -Verbose -Force |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Any reason for
Registry 'AllowTelemetry' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection' ValueName = 'AllowTelemetry' ValueType = 'DWord' ValueData = '1' }You set ValueData to 1?
According to https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63683 setting the Value to 0 would allow for more secure config.
My guess is you don't want admins/users to inadvertently break some applications?