Puppet Class: secure_windows::stig::v73509

Defined in:
manifests/stig/v73509.pp

Overview

V-73509 Hardened UNC paths must be defined to require mutual authentication and integrity for at least the *SYSVOL and *NETLOGON shares.

Parameters:

  • enforced (Boolean) (defaults to: false) 


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 
# File 'manifests/stig/v73509.pp', line 3

class secure_windows::stig::v73509 (
  Boolean $enforced = false,
) {
  if $enforced {
    if($facts['windows_type'] =~ /(1|3|4|5)/) {
      # C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
      # /v "\\*\SYSVOL" /d "RequireMutualAuthentication=1, RequireIntegrity=1" /t REG_SZ /f
      # NOTE: %ERRORLEVEL% returns 0 if match found and 1 if no match, so using unless param instead of onlyif param below...
      exec { 'v73509_netlogon':
        path    => 'C:\Windows\system32',
        command => 'cmd.exe /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=1, RequireIntegrity=1" /t REG_SZ /f',# lint:ignore:140chars
        unless  => 'cmd.exe /C reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON"',# lint:ignore:140chars
      }

      exec { 'v73509_sysvol':
        path    => 'C:\Windows\system32',
        command => 'cmd.exe /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=1, RequireIntegrity=1" /t REG_SZ /f',# lint:ignore:140chars
        unless  => 'cmd.exe /C reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL"',# lint:ignore:140chars
      }
    }
  }
}