dsccommunity / xsystemsecurity Goto Github PK

Modifying the specific registry keys will require the system be rebooted to apply the UAC settings. The resource should tell the system to reboot to actually apply this setting.

I believe if the resource sets $global:DSCMachineStatus = 1 the machine will reboot itself, can anyone confirm this before I make a Pull Request?

Work need to be done to convert this repository to use the new CI pipeline.

https://dsccommunity.org/blog/convert-a-module-for-continuous-delivery/

Repro

1. On Windows 8.1 or Windows Server 2012R2
2. Logon as a user
3. Use xIEEsc resource to disable IE Enhanced Security on a server.
4. Use IE to browse to any website, as the user you logged in as in step 2.

Expected

No prompts

Actual

Prompts

When the defined path in xFileSystemAccessRule resides on a cluster drive and the node where the configuration is applied does not own the drive, the configuration fails.

I would like to propose to make the xFileSystemAccessRule resource cluster aware. I think the logic could look something like this:

• If the path does not exist
  • If the server is a member of a cluster
    • If the cluster node does not own the drive specified in the path
      • Exit silently

UAC is technically able to ask for credentials instead of "yes/no", we should be able to change that setting too.

If it is already possible, the readme file needs to be improved to reflect that.

Description

Currently we are managing Protocols, Ciphers and Cipher Suites through a lot of registry entries which is a tedious task.
With DSC resources it would a lot easier for us.

Proposed properties

ProtocolsToDisable: SSL2.0 | SSL3.0 | TLS1.0 | TLS1.1

CiphersToDisable: RC4 40/128 | RC4 56/128 | RC4 128/128 | Triple DES 168

CypherSuitesToDisable: TLS_RSA_WITH_AES_256_GCM_SHA384 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA

Special considerations or limitations

A good explanation: https://blogs.technet.microsoft.com/askds/2015/12/08/speaking-in-ciphers-and-other-enigmatic-tonguesupdate/

When using PSdscResources 2.8.0.0 and xUAC we get the error message that the "Force" parameter should be used.

To solve this we added Force = $true in xUAC.schema.psm1 to the various registry call. Not sure it was the right things to do, but it works again now.

Exemple:

   $UacKey = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
    Registry ConsentPromptBehaviorAdmin
    {       
        Ensure = "Present"
        Key = $UacKey
        ValueName = "ConsentPromptBehaviorAdmin"
        ValueData = [string] $ConsentPromptBehaviorAdmin
        ValueType = "Dword"
        Force = $true
    }

Details of the scenario you tried and the problem that is occurring

I am already using the module since version 1.4.0.0
I didn't change the configuration, and only upgraded the module to version 1.5.0.
Since then the MOF compilation is throwing an error.
When I change the module version back to 1.4.0 (without any other change), the compilation is working fine again.

Verbose logs showing the problem

VERBOSE: 	Result found for xSystemSecurity
PSDesiredStateConfiguration\Node : The term 'xIEEsc\xIEEsc' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At New-DscMof.ps1:140 char:5
+     Node $AllNodes.NodeName {
+     ~~~~
    + CategoryInfo          : ObjectNotFound: (xIEEsc\xIEEsc:String) [PSDesiredStateConfiguration\node], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : CommandNotFoundException,PSDesiredStateConfiguration\node
 
Compilation errors occurred while processing configuration 'New-DscConfiguration'. Please review the errors reported in error stream and modify your configuration code appropriately.
    + CategoryInfo          : InvalidOperation: (New-DscConfiguration:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration

Or when I comment out the xIEEsc section I have the following error message:

VERBOSE: 	Result found for xSystemSecurity
PSDesiredStateConfiguration\Node : The term 'xUAC\xUac' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At New-DscMof.ps1:140 char:5
+     Node $AllNodes.NodeName {
+     ~~~~
    + CategoryInfo          : ObjectNotFound: (xUAC\xUac:String) [PSDesiredStateConfiguration\node], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : CommandNotFoundException,PSDesiredStateConfiguration\node
 
Compilation errors occurred while processing configuration 'New-DscConfiguration'. Please review the errors reported in error stream and modify your configuration code appropriately.
    + CategoryInfo          : InvalidOperation: (New-DscConfiguration:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Here is the Datum configuration:

xSystemSecurity:
  xIEEsc:
    - UserRole: Administrators
      IsEnabled: False
  xUac:
    Setting: AlwaysNotify

The operating system the target node is running

NA because the problem appears during the creation of the MOF.

Version and build of PowerShell the target node is running

NA because the problem appears during the creation of the MOF.

Version of the DSC module that was used

1.5.0

Start-Dsc... works fine but when I run Test, I get False.

Here's my configuration:

                xFileSystemAccessRule ReadControlRedirectionDirectoryEnsure
                {
                    Ensure      = "Present"
                    Path        = "C:\inetpub\wwwroot\wss\VirtualDirectories\redirect"
                    Identity    = "IIS_IUSRS"
                    Rights      = @("ReadAndExecute")
                    DependsOn   = "[File]RedirectionDirectoryEnsure"
                }

The syntax of the xUac resource doesn't show the possible values for the Setting property :

According the README.md, this property takes a fixed set of possible values, so we should see them in the syntax.

Also, because of this, the ISE cannot autocomplete the values for this Setting property.

The IEEsc setting does not work correctly on Server 2016. It correctly places the registry entry on the system that works for Server 2012/2012R2. However, it appears that Server 2016 uses a different registry entry for identifying the status of IEEsc.

I have the following simple rule to give "Modify" permission on the file:

xFileSystemAccessRule WorkerRoleNLogInternalLog
{
    Path            = $workerRoleNLogInternalLogFile
    Identity        = $appUserName
    Rights          = "Modify"
    Ensure          = "Present"
}

Applying this configuration gives me the following error:

Exception calling "SetAccessRule" with "1" argument(s): "No flags can be set.
Parameter name: inheritanceFlags"

Does xFileSystemAccessRule work with files? If not, I guess this must be fixed.
For now I workarounded this using Script resource with the following instructions:

$acl = Get-ACL $using:workerRoleNLogInternalLogFile
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($using:appUserName, 
    "Modify", "Allow")
$acl.SetAccessRule($accessRule)
Set-ACL $using:workerRoleNLogInternalLogFile $acl