configs/SampleConfig.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
configuration MemberServerSecuritySettings {
    param([string[]]$ComputerName='localhost')

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    
    Node $ComputerName {   

        #Anti-Malware
        Service 'MicrosoftAntimalwareService' {
            Name        = 'MsMpSvc'
            StartupType = 'Automatic'
            State       = 'Running'
        }

        #User Account Control - (1 of 2)
        Registry 'ConsentPromptBehaviorAdmin' {
            Ensure    = 'Present'
            Key       = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
            ValueName = 'ConsentPromptBehaviorAdmin'
            ValueType = 'Dword'
            ValueData = '5'
        }  

        #User Account Control - (2 of 2)
        Registry 'PromptOnSecureDesktop' {
            Ensure    = 'Present'
            Key       = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
            ValueName = 'PromptOnSecureDesktop'
            ValueType = 'Dword'
            ValueData = '1'
        }

        #Interactive logon: Number of previous logons to cache (in case domain controller is not available)
        Registry 'Numberofpreviouslogonstocache' {
            Ensure    = 'Present'
            Key       = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
            ValueName = 'CachedLogonsCount'
            ValueType = 'Dword'
            ValueData = '2'
        }

        #Checks to ensure that certain Windows Roles or Windows Features have not been installed
        WindowsFeature 'ActiveDirectoryDomainServices' {
            Name   = 'AD-Domain-Services'
            Ensure = 'Absent'
        }

        #Ensure DNS service is not installed
        WindowsFeature 'DNSServer' {
            Name   = 'DNS'
            Ensure = 'Absent'
        }

        #Ensure DHCP service is not installed
        WindowsFeature 'DHCPServer' {
            Name   = 'DHCP'
            Ensure = 'Absent'
        }

        #Ensure FaxServer service is not installed
        WindowsFeature 'WindowsRoleFax' {
            Name   = 'Fax'
            Ensure = 'Absent'
        }
    }            
}

MemberServerSecuritySettings -OutputPath .\