-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
14 changed files
with
161 additions
and
248 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,37 +1,37 @@ | ||
|
||
# create test user and security template | ||
$userName = "TestUser" + ([guid]::NewGuid().guid).substring(0,6) | ||
$policy = 'SeTrustedCredManAccessPrivilege' | ||
$directoryEntry = [ADSI]"WinNT://$env:COMPUTERNAME,Computer" | ||
$user = $directoryEntry.Create("User", $userName) | ||
$user.setpassword('P@ssword!QAZ2wsx') | ||
$user.SetInfo() | ||
|
||
$infTemplate =@" | ||
[Unicode] | ||
Unicode=yes | ||
[Privilege Rights] | ||
$policy = $userName | ||
[Version] | ||
signature="`$CHICAGO`$" | ||
Revision=1 | ||
"@ | ||
|
||
$tempFile = ([system.IO.Path]::GetTempFileName()).Replace('tmp','inf') | ||
Out-File -InputObject $infTemplate -FilePath $tempFile -Encoding unicode | ||
|
||
# Integration Test Config Template Version: 1.0.0 | ||
|
||
configuration MSFT_SecurityTemplate_config { | ||
|
||
Import-DscResource -ModuleName SecurityPolicyDsc | ||
|
||
node localhost { | ||
|
||
SecurityTemplate Integration_Test | ||
{ | ||
Path = $tempFile | ||
IsSingleInstance = 'Yes' | ||
} | ||
} | ||
} | ||
|
||
# create test user and security template | ||
$userName = "TestUser" + ([guid]::NewGuid().guid).substring(0,6) | ||
$policy = 'SeTrustedCredManAccessPrivilege' | ||
$directoryEntry = [ADSI]"WinNT://$env:COMPUTERNAME,Computer" | ||
$user = $directoryEntry.Create("User", $userName) | ||
$user.setpassword('P@ssword!QAZ2wsx') | ||
$user.SetInfo() | ||
|
||
$infTemplate =@" | ||
[Unicode] | ||
Unicode=yes | ||
[Privilege Rights] | ||
$policy = $userName | ||
[Version] | ||
signature="`$CHICAGO`$" | ||
Revision=1 | ||
"@ | ||
|
||
$tempFile = ([system.IO.Path]::GetTempFileName()).Replace('tmp','inf') | ||
Out-File -InputObject $infTemplate -FilePath $tempFile -Encoding unicode | ||
|
||
# Integration Test Config Template Version: 1.0.0 | ||
|
||
configuration MSFT_SecurityTemplate_config { | ||
|
||
Import-DscResource -ModuleName SecurityPolicyDsc | ||
|
||
node localhost { | ||
|
||
SecurityTemplate Integration_Test | ||
{ | ||
Path = $tempFile | ||
IsSingleInstance = 'Yes' | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,49 +1,49 @@ | ||
$script:DSCResourceName = 'MSFT_UserRightsAssignment' | ||
|
||
$resourcePath = (Get-DscResource -Name $script:DSCResourceName).Path | ||
Import-Module $resourcePath -Force | ||
|
||
# S-1-5-6 = NT Authority\Service | ||
# S-1-5-90-0 = 'window manager\window manager group' | ||
|
||
$rule = @{ | ||
Policy = 'Access_Credential_Manager_as_a_trusted_caller' | ||
Identity = 'builtin\Administrators','*S-1-5-6','S-1-5-90-0' | ||
} | ||
|
||
$removeAll = @{ | ||
Policy = 'Act_as_part_of_the_operating_system' | ||
Identity = "" | ||
} | ||
|
||
$removeGuests = @{ | ||
Policy = 'Deny_log_on_locally' | ||
Identity = 'Guests' | ||
} | ||
|
||
# Add an identities so we can verify it gets removed | ||
Set-TargetResource -Policy $removeAll.Policy -Identity 'Administrators' -Ensure 'Present' | ||
Set-TargetResource -Policy $removeGuests.Policy -Identity 'Guests' -Ensure 'Present' | ||
|
||
configuration MSFT_UserRightsAssignment_config { | ||
Import-DscResource -ModuleName SecurityPolicyDsc | ||
|
||
UserRightsAssignment AccessCredentialManagerAsaTrustedCaller | ||
{ | ||
Policy = $rule.Policy | ||
Identity = $rule.Identity | ||
} | ||
|
||
UserRightsAssignment RemoveAllActAsOS | ||
{ | ||
Policy = $removeAll.Policy | ||
Identity = $removeAll.Identity | ||
} | ||
|
||
UserRightsAssignment DenyLogOnLocally | ||
{ | ||
Policy = $removeGuests.Policy | ||
Identity = $removeGuests.Identity | ||
Ensure = 'Absent' | ||
} | ||
} | ||
$script:DSCResourceName = 'MSFT_UserRightsAssignment' | ||
|
||
$resourcePath = (Get-DscResource -Name $script:DSCResourceName).Path | ||
Import-Module $resourcePath -Force | ||
|
||
# S-1-5-6 = NT Authority\Service | ||
# S-1-5-90-0 = 'window manager\window manager group' | ||
|
||
$rule = @{ | ||
Policy = 'Access_Credential_Manager_as_a_trusted_caller' | ||
Identity = 'builtin\Administrators','*S-1-5-6','S-1-5-90-0' | ||
} | ||
|
||
$removeAll = @{ | ||
Policy = 'Act_as_part_of_the_operating_system' | ||
Identity = "" | ||
} | ||
|
||
$removeGuests = @{ | ||
Policy = 'Deny_log_on_locally' | ||
Identity = 'Guests' | ||
} | ||
|
||
# Add an identities so we can verify it gets removed | ||
Set-TargetResource -Policy $removeAll.Policy -Identity 'Administrators' -Ensure 'Present' | ||
Set-TargetResource -Policy $removeGuests.Policy -Identity 'Guests' -Ensure 'Present' | ||
|
||
configuration MSFT_UserRightsAssignment_config { | ||
Import-DscResource -ModuleName SecurityPolicyDsc | ||
|
||
UserRightsAssignment AccessCredentialManagerAsaTrustedCaller | ||
{ | ||
Policy = $rule.Policy | ||
Identity = $rule.Identity | ||
} | ||
|
||
UserRightsAssignment RemoveAllActAsOS | ||
{ | ||
Policy = $removeAll.Policy | ||
Identity = $removeAll.Identity | ||
} | ||
|
||
UserRightsAssignment DenyLogOnLocally | ||
{ | ||
Policy = $removeGuests.Policy | ||
Identity = $removeGuests.Identity | ||
Ensure = 'Absent' | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.