Resource Type: dsc_securityoption

Defined in:
lib/puppet/type/dsc_securityoption.rb
Providers:
powershell

Overview

The DSC SecurityOption resource type. Automatically generated from ‘SecurityPolicyDsc/DSCResources/MSFT_SecurityOption/MSFT_SecurityOption.schema.mof’

To learn more about PowerShell Desired State Configuration, please visit technet.microsoft.com/en-us/library/dn249912.aspx.

For more information about built-in DSC Resources, please visit technet.microsoft.com/en-us/library/dn249921.aspx.

For more information about xDsc Resources, please visit github.com/PowerShell/DscResources.

Properties

  • ensure

    The basic property that the resource should be in.

    Supported values:
    • exists?
    • present

Parameters

  • dsc_accounts_administrator_account_status

    Accounts_Administrator_account_status - Valid values are Enabled, Disabled.

  • dsc_accounts_block_microsoft_accounts

    Accounts_Block_Microsoft_accounts - Valid values are This policy is disabled, Users cant add Microsoft accounts, Users cant add or log on with Microsoft accounts.

  • dsc_accounts_guest_account_status

    Accounts_Guest_account_status - Valid values are Enabled, Disabled.

  • dsc_accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only

    Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only - Valid values are Enabled, Disabled.

  • dsc_accounts_rename_administrator_account

    Accounts_Rename_administrator_account

  • dsc_accounts_rename_guest_account

    Accounts_Rename_guest_account

  • dsc_audit_audit_the_access_of_global_system_objects

    Audit_Audit_the_access_of_global_system_objects - Valid values are Enabled, Disabled.

  • dsc_audit_audit_the_use_of_backup_and_restore_privilege

    Audit_Audit_the_use_of_Backup_and_Restore_privilege - Valid values are Enabled, Disabled.

  • dsc_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings

    Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings - Valid values are Enabled, Disabled.

  • dsc_audit_shut_down_system_immediately_if_unable_to_log_security_audits

    Audit_Shut_down_system_immediately_if_unable_to_log_security_audits - Valid values are Enabled, Disabled.

  • dsc_dcom_machine_access_restrictions_in_security_descriptor_definition_language_sddl_syntax

    DCOM_Machine_Access_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax

  • dsc_dcom_machine_launch_restrictions_in_security_descriptor_definition_language_sddl_syntax

    DCOM_Machine_Launch_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax

  • dsc_devices_allow_undock_without_having_to_log_on

    Devices_Allow_undock_without_having_to_log_on

  • dsc_devices_allowed_to_format_and_eject_removable_media

    Devices_Allowed_to_format_and_eject_removable_media - Valid values are Administrators, Administrators and Power Users, Administrators and Interactive Users.

  • dsc_devices_prevent_users_from_installing_printer_drivers

    Devices_Prevent_users_from_installing_printer_drivers

  • dsc_devices_restrict_cd_rom_access_to_locally_logged_on_user_only

    Devices_Restrict_CD_ROM_access_to_locally_logged_on_user_only

  • dsc_devices_restrict_floppy_access_to_locally_logged_on_user_only

    Devices_Restrict_floppy_access_to_locally_logged_on_user_only

  • dsc_domain_controller_allow_server_operators_to_schedule_tasks

    Domain_controller_Allow_server_operators_to_schedule_tasks

  • dsc_domain_controller_ldap_server_signing_requirements

    Domain_controller_LDAP_server_signing_requirements

  • dsc_domain_controller_refuse_machine_account_password_changes

    Domain_controller_Refuse_machine_account_password_changes

  • dsc_domain_member_digitally_encrypt_or_sign_secure_channel_data_always

    Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always

  • dsc_domain_member_digitally_encrypt_secure_channel_data_when_possible

    Domain_member_Digitally_encrypt_secure_channel_data_when_possible

  • dsc_domain_member_digitally_sign_secure_channel_data_when_possible

    Domain_member_Digitally_sign_secure_channel_data_when_possible

  • dsc_domain_member_disable_machine_account_password_changes

    Domain_member_Disable_machine_account_password_changes

  • dsc_domain_member_maximum_machine_account_password_age

    Domain_member_Maximum_machine_account_password_age

  • dsc_domain_member_require_strong_windows_2000_or_later_session_key

    Domain_member_Require_strong_Windows_2000_or_later_session_key

  • dsc_interactive_logon_display_user_information_when_the_session_is_locked

    Interactive_logon_Display_user_information_when_the_session_is_locked - Valid values are User displayname, domain and user names, User display name only, Do not display user information.

  • dsc_interactive_logon_do_not_display_last_user_name

    Interactive_logon_Do_not_display_last_user_name

  • dsc_interactive_logon_do_not_require_ctrl_alt_del

    Interactive_logon_Do_not_require_CTRL_ALT_DEL

  • dsc_interactive_logon_machine_account_lockout_threshold

    Interactive_logon_Machine_account_lockout_threshold

  • dsc_interactive_logon_machine_inactivity_limit

    Interactive_logon_Machine_inactivity_limit

  • dsc_interactive_logon_message_text_for_users_attempting_to_log_on

    Interactive_logon_Message_text_for_users_attempting_to_log_on

  • dsc_interactive_logon_message_title_for_users_attempting_to_log_on

    Interactive_logon_Message_title_for_users_attempting_to_log_on

  • dsc_interactive_logon_number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available

    Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available

  • dsc_interactive_logon_prompt_user_to_change_password_before_expiration

    Interactive_logon_Prompt_user_to_change_password_before_expiration

  • dsc_interactive_logon_require_domain_controller_authentication_to_unlock_workstation

    Interactive_logon_Require_Domain_Controller_authentication_to_unlock_workstation

  • dsc_interactive_logon_require_smart_card

    Interactive_logon_Require_smart_card

  • dsc_interactive_logon_smart_card_removal_behavior

    Interactive_logon_Smart_card_removal_behavior - Valid values are No Action, Lock workstation, Force logoff, Disconnect if a remote Remote Desktop Services session.

  • dsc_microsoft_network_client_digitally_sign_communications_always

    Microsoft_network_client_Digitally_sign_communications_always

  • dsc_microsoft_network_client_digitally_sign_communications_if_server_agrees

    Microsoft_network_client_Digitally_sign_communications_if_server_agrees

  • dsc_microsoft_network_client_send_unencrypted_password_to_third_party_smb_servers

    Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers

  • dsc_microsoft_network_server_amount_of_idle_time_required_before_suspending_session

    Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session

  • dsc_microsoft_network_server_attempt_s4u2self_to_obtain_claim_information

    Microsoft_network_server_Attempt_S4U2Self_to_obtain_claim_information

  • dsc_microsoft_network_server_digitally_sign_communications_always

    Microsoft_network_server_Digitally_sign_communications_always

  • dsc_microsoft_network_server_digitally_sign_communications_if_client_agrees

    Microsoft_network_server_Digitally_sign_communications_if_client_agrees

  • dsc_microsoft_network_server_disconnect_clients_when_logon_hours_expire

    Microsoft_network_server_Disconnect_clients_when_logon_hours_expire

  • dsc_microsoft_network_server_server_spn_target_name_validation_level

    Microsoft_network_server_Server_SPN_target_name_validation_level - Valid values are Off, Accept if provided by the client, Required from client.

  • dsc_name

    Name - Describes the security option to be managed. This could be anything as long as it is unique

  • dsc_network_access_allow_anonymous_sid_name_translation

    Network_access_Allow_anonymous_SID_Name_translation

  • dsc_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts

    Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts

  • dsc_network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shares

    Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares

  • dsc_network_access_do_not_allow_storage_of_passwords_and_credentials_for_network_authentication

    Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication

  • dsc_network_access_let_everyone_permissions_apply_to_anonymous_users

    Network_access_Let_Everyone_permissions_apply_to_anonymous_users

  • dsc_network_access_named_pipes_that_can_be_accessed_anonymously

    Network_access_Named_Pipes_that_can_be_accessed_anonymously

  • dsc_network_access_remotely_accessible_registry_paths

    Network_access_Remotely_accessible_registry_paths

  • dsc_network_access_remotely_accessible_registry_paths_and_subpaths

    Network_access_Remotely_accessible_registry_paths_and_subpaths

  • dsc_network_access_restrict_anonymous_access_to_named_pipes_and_shares

    Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares

  • dsc_network_access_shares_that_can_be_accessed_anonymously

    Network_access_Shares_that_can_be_accessed_anonymously

  • dsc_network_access_sharing_and_security_model_for_local_accounts

    Network_access_Sharing_and_security_model_for_local_accounts - Valid values are Classic - Local users authenticate as themselves, Guest only - Local users authenticate as Guest.

  • dsc_network_security_allow_local_system_to_use_computer_identity_for_ntlm

    Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM

  • dsc_network_security_allow_localsystem_null_session_fallback

    Network_security_Allow_LocalSystem_NULL_session_fallback

  • dsc_network_security_allow_pku2u_authentication_requests_to_this_computer_to_use_online_identities

    Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities

  • dsc_network_security_configure_encryption_types_allowed_for_kerberos

    Network_security_Configure_encryption_types_allowed_for_Kerberos - Valid values are DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1.

  • dsc_network_security_do_not_store_lan_manager_hash_value_on_next_password_change

    Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change

  • dsc_network_security_force_logoff_when_logon_hours_expire

    Network_security_Force_logoff_when_logon_hours_expire

  • dsc_network_security_lan_manager_authentication_level

    Network_security_LAN_Manager_authentication_level - Valid values are Send LM & NTLM responses, Send LM & NTLM - use NTLMv2 session security if negotiated, Send NTLM responses only, Send NTLMv2 responses only, Send NTLMv2 responses only. Refuse LM, Send NTLMv2 responses only. Refuse LM & NTLM.

  • dsc_network_security_ldap_client_signing_requirements

    Network_security_LDAP_client_signing_requirements - Valid values are None, Negotiate Signing, Require Signing.

  • dsc_network_security_minimum_session_security_for_ntlm_ssp_based_including_secure_rpc_clients

    Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients - Valid values are Require NTLMv2 session security, Require 128-bit encryption, Both options checked.

  • dsc_network_security_minimum_session_security_for_ntlm_ssp_based_including_secure_rpc_servers

    Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers - Valid values are Require NTLMv2 session security, Require 128-bit encryption, Both options checked.

  • dsc_network_security_restrict_ntlm_add_remote_server_exceptions_for_ntlm_authentication

    Network_security_Restrict_NTLM_Add_remote_server_exceptions_for_NTLM_authentication

  • dsc_network_security_restrict_ntlm_add_server_exceptions_in_this_domain

    Network_security_Restrict_NTLM_Add_server_exceptions_in_this_domain

  • dsc_network_security_restrict_ntlm_audit_incoming_ntlm_traffic

    Network_Security_Restrict_NTLM_Audit_Incoming_NTLM_Traffic - Valid values are Disable, Deny for domain accounts to domain servers, Deny for domain accounts, Deny for domain servers, Deny all.

  • dsc_network_security_restrict_ntlm_audit_ntlm_authentication_in_this_domain

    Network_Security_Restrict_NTLM_Audit_NTLM_authentication_in_this_domain - Valid values are Allow all, Audit all, Deny all.

  • dsc_network_security_restrict_ntlm_incoming_ntlm_traffic

    Network_Security_Restrict_NTLM_Incoming_NTLM_Traffic - Valid values are Disabled, Enable auditing for domain accounts, Enable auditing for all accounts.

  • dsc_network_security_restrict_ntlm_ntlm_authentication_in_this_domain

    Network_Security_Restrict_NTLM_NTLM_authentication_in_this_domain - Valid values are Disable, Enable for domain accounts to domain servers, Enable for domain accounts, Enable for domain servers, Enable all.

  • dsc_network_security_restrict_ntlm_outgoing_ntlm_traffic_to_remote_servers

    Network_Security_Restrict_NTLM_Outgoing_NTLM_traffic_to_remote_servers - Valid values are Allow all, Deny all domain accounts, Deny all accounts.

  • dsc_psdscrunascredential

    PsDscRunAsCredential

  • dsc_recovery_console_allow_automatic_administrative_logon

    Recovery_console_Allow_automatic_administrative_logon

  • dsc_recovery_console_allow_floppy_copy_and_access_to_all_drives_and_folders

    Recovery_console_Allow_floppy_copy_and_access_to_all_drives_and_folders

  • dsc_shutdown_allow_system_to_be_shut_down_without_having_to_log_on

    Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on

  • dsc_shutdown_clear_virtual_memory_pagefile

    Shutdown_Clear_virtual_memory_pagefile

  • dsc_system_cryptography_force_strong_key_protection_for_user_keys_stored_on_the_computer

    System_cryptography_Force_strong_key_protection_for_user_keys_stored_on_the_computer - Valid values are User input is not required when new keys are stored and used, User is prompted when the key is first used, User must enter a password each time they use a key.

  • dsc_system_cryptography_use_fips_compliant_algorithms_for_encryption_hashing_and_signing

    System_cryptography_Use_FIPS_compliant_algorithms_for_encryption_hashing_and_signing

  • dsc_system_objects_require_case_insensitivity_for_non_windows_subsystems

    System_objects_Require_case_insensitivity_for_non_Windows_subsystems

  • dsc_system_objects_strengthen_default_permissions_of_internal_system_objects_eg_symbolic_links

    System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links

  • dsc_system_settings_optional_subsystems

    System_settings_Optional_subsystems

  • dsc_system_settings_use_certificate_rules_on_windows_executables_for_software_restriction_policies

    System_settings_Use_Certificate_Rules_on_Windows_Executables_for_Software_Restriction_Policies

  • dsc_user_account_control_admin_approval_mode_for_the_built_in_administrator_account

    User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account

  • dsc_user_account_control_allow_uiaccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop

    User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop

  • dsc_user_account_control_behavior_of_the_elevation_prompt_for_administrators_in_admin_approval_mode

    User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode - Valid values are Elevate without prompting, Prompt for credentials on the secure desktop, Prompt for consent on the secure desktop, Prompt for credentials, Prompt for consent, Prompt for consent for non-Windows binaries.

  • dsc_user_account_control_behavior_of_the_elevation_prompt_for_standard_users

    User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users - Valid values are Automatically deny elevation request, Prompt for credentials on the secure desktop, Prompt for crendentials.

  • dsc_user_account_control_detect_application_installations_and_prompt_for_elevation

    User_Account_Control_Detect_application_installations_and_prompt_for_elevation

  • dsc_user_account_control_only_elevate_executables_that_are_signed_and_validated

    User_Account_Control_Only_elevate_executables_that_are_signed_and_validated

  • dsc_user_account_control_only_elevate_uiaccess_applications_that_are_installed_in_secure_locations

    User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations

  • dsc_user_account_control_run_all_administrators_in_admin_approval_mode

    User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode

  • dsc_user_account_control_switch_to_the_secure_desktop_when_prompting_for_elevation

    User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation

  • dsc_user_account_control_virtualize_file_and_registry_write_failures_to_per_user_locations

    User_Account_Control_Virtualize_file_and_registry_write_failures_to_per_user_locations

  • name (namevar)
  • provider

    The specific backend to use for this ‘dsc_securityoption` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.