• spin up a new windows nano container
• run hardening cookbook on it
• run inspec baseline for verification

Make the readme better

• kitchen support
• appveyor tests

Not sure if this is required for CIS benchmarks, but the registry keys for enabling Powershell logging are missing output logging. Is this meant to be left out on purpose?

Is your feature request related to a problem? Please describe.

Platforms

• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2016 Nano Server

Does it support Windows 2019 now?

Describe the solution you'd like

Need support Windows 2019.

Describe alternatives you've considered

Need support Windows 2019.

Additional context

Need support Windows 2019.

In #13 we introduced appveyor tests. This ensures the cookbook is executable. We should also enable the inspec tests in appveyor

My team is needing to use the one of the latest Windows Server CIS benchmarks. We are using Windows Server 1803 but there's no benchmark for that yet, so we might target 1607.

I like the structure you have but also have a few questions about adding this to your cookbook.

1. First, is this something that would be acceptable to eventually merge?
2. How do you run the cookbook (or for that matter, InSpec) for a specific benchmark, e.g. release 1607 vs 2012R2?

Thanks,
Jason

Cookbook version version '0.9.1'

It looks like this issue was fixed but the fix is not visible in the supermarket.
We still receive the following errors:
NoMethodError: undefined method `password_policy'
NoMethodError: undefined method `security_policy'

Please see the comments in the issue (#50):
"Looks like version '0.9.1' from supermarket.chef.io does not contain this fix since the version in #49 wasn`t bumped."

Related link: https://github.com/dev-sec/chef-windows-hardening/pull/49/files

Could you please take a look and fix this?

While working on an Ansible role corresponding to the windows-baseline InSpec profile, I noticed the fix for windows-audit-205 is missing from this Chef recipe.

It doesn't look like it was intended...

clean the following recipes, if the issue #46 is done

include_recipe 'windows-hardening::audit'
include_recipe 'windows-hardening::ie'
include_recipe 'windows-hardening::rdp'
include_recipe 'windows-hardening::access'
include_recipe 'windows-hardening::privacy'
include_recipe 'windows-hardening::powershell'

custom resource declaration for 'password_policy' need to be updated to sync with Chef infra client v16.2.44+
Pre-16 code:
resource_name :foo

Chef Infra Client 16+ code
provides :foo

Chef Infra Client < 16 backwards compatible code
resource_name :foo
provides :foo

I'm running the cookbook using chef-solo as part of a packer deployment and I'm getting an error that I'm sure is my stupidity but I can't figure out what's wrong:

vmware-iso: Compiling Cookbooks...
vmware-iso: Converging 32 resources
vmware-iso: Recipe: windows-hardening::enable_winrm_access
vmware-iso:   * powershell_script[Remote Management] action run
vmware-iso:     - execute "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/ADMINI~1/AppData/Local/Temp/chef-script20180503-2024-1siyebd.ps1"
vmware-iso: Recipe: windows-hardening::password_policy
vmware-iso:   * password_policy[password_history] action set
vmware-iso:
vmware-iso:     ================================================================================
vmware-iso:     Error executing action `set` on resource 'password_policy[password_history]'
vmware-iso:     ================================================================================
vmware-iso:
vmware-iso:     NameError
vmware-iso:     ---------
vmware-iso:     undefined local variable or method `policy_name' for #<#<Class:0x028c9f08>:0x04e6b898>
vmware-iso:
vmware-iso:     Resource Declaration:
vmware-iso:     ---------------------
vmware-iso:     # In c:/windows/temp/packer-chef-solo/local-mode-cache/cache/cookbooks/windows-hardening/recipes/password_policy.rb
vmware-iso:
vmware-iso:      11: password_policy 'password_history' do
vmware-iso:      12:   policy_command 'uniquepw'
vmware-iso:      13:   value 24
vmware-iso:      14:   action :set
vmware-iso:      15: end
vmware-iso:      16:
vmware-iso:
vmware-iso:     Compiled Resource:
vmware-iso:     ------------------
vmware-iso:     # Declared in c:/windows/temp/packer-chef-solo/local-mode-cache/cache/cookbooks/windows-hardening/recipes/password_policy.rb:11:in `from_file'
vmware-iso:
vmware-iso:     password_policy("password_history") do
vmware-iso:       action [:set]
vmware-iso:       default_guard_interpreter :default
vmware-iso:       declared_type :password_policy
vmware-iso:       cookbook_name "windows-hardening"
vmware-iso:       recipe_name "password_policy"
vmware-iso:       policy_command "uniquepw"
vmware-iso:       value 24
vmware-iso:       policy_name "password_history"
vmware-iso:     end
vmware-iso:
vmware-iso:     System Info:
vmware-iso:     ------------
vmware-iso:     chef_version=14.0.202
vmware-iso:     platform=windows
vmware-iso:     platform_version=6.3.9600
vmware-iso:     ruby=ruby 2.5.1p57 (2018-03-29 revision 63029) [i386-mingw32]
vmware-iso:     program_name=c:/opscode/chef/bin/chef-solo
vmware-iso:     executable=c:/opscode/chef/bin/chef-solo
vmware-iso:

Describe the bug
When running on non-English version of Windows (for example, Russian version), cookbook fails with Expected process to exit with [0], but received '87'

Expected behavior
Cookbook should support not only English version of Windows.

Actual behavior

* execute[Account Logon Audit Log] action run
       
           ================================================================================
           Error executing action `run` on resource 'execute[Account Logon Audit Log]'
           ================================================================================
       
           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '87'
           ---- Begin output of AuditPol /Set /Category:"Account Logon" /Failure:Enable /Success:Enable ----
           STDOUT: €бЇ®«м§®ў ­ЁҐ: AuditPol Є®¬ ­¤  [<Ї®¤Є®¬ ­¤ ><Ї а ¬Ґвал>]

This happens because all categories are hardcoded to english naming.

https://github.com/dev-sec/chef-windows-hardening/blob/master/recipes/audit.rb#L60

execute 'Account Logon Audit Log' do
  command 'AuditPol /Set /Category:"Account Logon" /Failure:Enable /Success:Enable'
  action :run
  not_if { ::File.exist?('C:\accountLogonAudit.lock') }
  notifies :create, 'file[C:\accountLogonAudit.lock]', :immediately
end

Example code

include_recipe 'windows-hardening::default'

OS / Environment

Windows Server 2016 Datacenter Evaluation (Russian)

PS C:\Users\vagrant> Get-WinSystemLocale

LCID             Name             DisplayName
----             ----             -----------
1049             ru-RU            Русский (Россия)

Chef Version

14.13.11

Cookbook Version

0.9.1

Additional context

PS C:\Users\vagrant> auditpol /list /category
Категория или подкатегория
Вход учетной записи
Вход/выход
Доступ к объектам
Доступ к службе каталогов (DS)
Изменение политики
Использование прав
Подробное отслеживание
Система
Учетные записи
PS C:\Users\vagrant> AuditPol /Set /Category:"Вход учетной записи" /Failure:Enable /Success:Enable
Команда выполнена успешно.

As a workaround we can move Categories names to attributes.

• Document supported platforms
• Add supported platforms to metdata file

The current recipes are following the numbers by https://github.com/dev-sec/windows-baseline/tree/master/controls

Instead I propose we are using a component-oriented model like in https://github.com/dev-sec/chef-os-hardening/tree/master/recipes

We no longer have 100% coverage against the https://github.com/dev-sec/windows-baseline profile.

Current failing tests follow:

• Registry Key HKLM\System\CurrentControlSet\Services\LanManServer\Parameters SMB1 should eq 0
• Audit Policy Computer Account Management should eq "Success and Failure"
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging should exist
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging EnableScriptBlockLogging should eq 0
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription should exist
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription EnableTranscripting should eq 0
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount should exist
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount value should eq 0
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore should exist
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore AutoDownload should eq 4
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore DisableOSUpgrade should eq 1
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search should exist
• Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search AllowIndexingEncryptedStoresOrItems should eq 0

i implemented until cis 17.2.4 control for windows 2012 r2 and win 2016

i used the 2 documents from CIS

CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018
CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018

Hi!

Can we get a new release?

just curious where the content went?

Describe the bug
Using packer to create an image, apply hardening cookbook and enable_winrm_acesss and reboot
Expected behavior
Winrm is available after reboot

Actual behavior
after reboot winrm is no longer available

edr-widows-2016-base-20190228-074531: Recipe: windows-hardening::enable_winrm_access
edr-widows-2016-base-20190228-074531:   * powershell_script[Remote Management] action run[2019-02-28T15:53:42+00:00] INFO: Processing powershell_script[Remote Management] action run (windows-hardening::enable_winrm_access line 10)
2019/02/28 07:53:41 [INFO] (telemetry) ending chef-client
2019/02/28 07:53:41 [INFO] (telemetry) Starting provisioner windows-restart
==> edr-widows-2016-base-20190228-074531: Restarting Machine
2019/02/28 07:53:41 [INFO] 0 bytes written for 'stdout'
2019/02/28 07:53:41 [INFO] 0 bytes written for 'stderr'
2019/02/28 07:53:41 packer: 2019/02/28 07:53:41 Retryable error: http response error: 401 - invalid content type

After the 10 minute timeout packer exits as winrm does not become available.
Example code

OS / Environment
aws windows 2016 base
Chef Version

14.10.9

Cookbook Version

0.9.1

I also attempt to connect to the host via telnet ip 5985 and I cannot.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency highline to v3
• chore(deps): update dependency inspec to v6

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository