-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathwin_lgpo.py
10628 lines (10196 loc) · 496 KB
/
win_lgpo.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
"""
Manage Local Policy on Windows
This module allows configuring local group policy (i.e. ``gpedit.msc``) on a
Windows server.
.. versionadded:: 2016.11.0
Administrative Templates
========================
Administrative template policies are dynamically read from ADMX/ADML files on
the server.
Windows Settings
================
Policies contained in the "Windows Settings" section of the ``gpedit.msc`` GUI
are statically defined in this module. Each policy is configured for the section
(Machine/User) in the module's _policy_info class. The ``_policy_info`` class
contains a "policies" dict on how the module will configure the policy, where
the policy resides in the GUI (for display purposes), data validation data, data
transformation data, etc.
Current known limitations
=========================
- At this time, start/shutdown scripts policies are displayed, but are not
configurable.
- Not all "Security Settings" policies exist in the _policy_info class
:depends:
- pywin32 Python module
- lxml
- uuid
- struct
- salt.utils.win_reg
"""
# pylint: skip-file
import csv
import ctypes
import glob
import io
import locale
import logging
import os
import re
import tempfile
import time
import uuid
import zlib
import salt.utils.dictupdate as dictupdate
import salt.utils.files
import salt.utils.path
import salt.utils.platform
import salt.utils.stringutils
import salt.utils.win_lgpo_netsh
from salt.exceptions import CommandExecutionError, SaltInvocationError
from salt.serializers.configparser import deserialize
log = logging.getLogger(__name__)
__virtualname__ = "lgpo"
__func_alias__ = {"set_": "set"}
UUID = uuid.uuid4().hex
adm_policy_name_map = {True: {}, False: {}}
HAS_WINDOWS_MODULES = False
# define some global XPATH variables that we'll set assuming all our imports are
# good
TRUE_VALUE_XPATH = None
FALSE_VALUE_XPATH = None
ELEMENTS_XPATH = None
ENABLED_VALUE_XPATH = None
DISABLED_VALUE_XPATH = None
ENABLED_LIST_XPATH = None
DISABLED_LIST_XPATH = None
VALUE_XPATH = None
TRUE_LIST_XPATH = None
FALSE_LIST_XPATH = None
REGKEY_XPATH = None
POLICY_ANCESTOR_XPATH = None
ALL_CLASS_POLICY_XPATH = None
ADML_DISPLAY_NAME_XPATH = None
VALUE_LIST_XPATH = None
ENUM_ITEM_DISPLAY_NAME_XPATH = None
ADMX_SEARCH_XPATH = None
ADML_SEARCH_XPATH = None
ADMX_DISPLAYNAME_SEARCH_XPATH = None
PRESENTATION_ANCESTOR_XPATH = None
TEXT_ELEMENT_XPATH = None
try:
import struct
import lxml
import win32net
import win32security
from lxml import etree
from salt.utils.win_reg import Registry
HAS_WINDOWS_MODULES = True
TRUE_VALUE_XPATH = etree.XPath('.//*[local-name() = "trueValue"]')
FALSE_VALUE_XPATH = etree.XPath('.//*[local-name() = "falseValue"]')
ELEMENTS_XPATH = etree.XPath('.//*[local-name() = "elements"]')
ENABLED_VALUE_XPATH = etree.XPath('.//*[local-name() = "enabledValue"]')
DISABLED_VALUE_XPATH = etree.XPath('.//*[local-name() = "disabledValue"]')
ENABLED_LIST_XPATH = etree.XPath('.//*[local-name() = "enabledList"]')
DISABLED_LIST_XPATH = etree.XPath('.//*[local-name() = "disabledList"]')
VALUE_XPATH = etree.XPath('.//*[local-name() = "value"]')
TRUE_LIST_XPATH = etree.XPath('.//*[local-name() = "trueList"]')
FALSE_LIST_XPATH = etree.XPath('.//*[local-name() = "falseList"]')
REGKEY_XPATH = etree.XPath("//*[@key = $keyvalue]")
POLICY_ANCESTOR_XPATH = etree.XPath('ancestor::*[local-name() = "policy"]')
ALL_CLASS_POLICY_XPATH = etree.XPath(
'//*[local-name() = "policy" and (@*[local-name() = "class"] = "Both" or'
' @*[local-name() = "class"] = $registry_class)]'
)
ADML_DISPLAY_NAME_XPATH = etree.XPath(
'//*[local-name() = $displayNameType and @*[local-name() = "id"] ='
" $displayNameId]"
)
VALUE_LIST_XPATH = etree.XPath('.//*[local-name() = "valueList"]')
ENUM_ITEM_DISPLAY_NAME_XPATH = etree.XPath(
'.//*[local-name() = "item" and @*[local-name() = "displayName" ='
" $display_name]]"
)
ADMX_SEARCH_XPATH = etree.XPath(
'//*[local-name() = "policy" and @*[local-name() = "name"] = $policy_name and'
' (@*[local-name() = "class"] = "Both" or @*[local-name() = "class"] ='
" $registry_class)]"
)
ADML_SEARCH_XPATH = etree.XPath(
'//*[starts-with(text(), $policy_name) and @*[local-name() = "id"]]'
)
ADMX_DISPLAYNAME_SEARCH_XPATH = etree.XPath(
'//*[local-name() = "policy" and @*[local-name() = "displayName"] ='
' $display_name and (@*[local-name() = "class"] = "Both" or @*[local-name() ='
' "class"] = $registry_class) ]'
)
PRESENTATION_ANCESTOR_XPATH = etree.XPath(
'ancestor::*[local-name() = "presentation"]'
)
TEXT_ELEMENT_XPATH = etree.XPath('.//*[local-name() = "text"]')
# Get the System Install Language
# https://msdn.microsoft.com/en-us/library/dd318123(VS.85).aspx
# local.windows_locale is a dict
# GetSystemDefaultUILanguage() returns a 4 digit language code that
# corresponds to an entry in the dict
# Not available in win32api, so we have to use ctypes
# Default to `en-US` (1033)
windll = ctypes.windll.kernel32
INSTALL_LANGUAGE = locale.windows_locale.get(
windll.GetSystemDefaultUILanguage(), "en_US"
).replace("_", "-")
except ImportError:
HAS_WINDOWS_MODULES = False
class _policy_info:
r"""
Policy Helper Class
===================
The format of the policy dict is as follows:
The top most two key/value pairs in the dict divide the policies object into
the two sections of local group policy, using the keys "Machine" and "User".
The value make-up of these dicts are described below in "Policy Section
Definition"
Policy Section Definition
-------------------------
A policy section dict has two required key/value pairs:
============ ==============================================================
Key
============ ==============================================================
lgpo_section String matching how the policy section is displayed in the mmc
snap-in ("Computer Configuration" for "Machine" and "User
Configuration" for "User")
policies a dict containing the non-Administrative template policy
definitions, the key for each item is a short/unique
identifier for the policy, the value is described below in
"Policies Definition"
============ ==============================================================
Policies Definition
-------------------
A policies definition item describes the particular policy. There are three
child key/value pairs shared with all policy types:
============ ==============================================================
Key Value
============ ==============================================================
lgpo_section A list containing the hierarchical path to the policy in the
gpedit mmc snap-in.
Policy A string containing the name of the policy in the gpedit mmc
snap-in
Settings An object which describes valid settings for the policy. This
can be None for no validation, a list of possible settings, or
a dict with the following key/value pairs:
- **Function:** The class function to use to validate the
setting
- **Args:** A dict of kwargs to pass to the class function
============ ==============================================================
Additionally, each policies definition will contain a key/value pair that
defines the mechanism that will be used to configure the policy. The
available mechanisms are: NetUserModal, Registry, Secedit, and LsaRights
Registry Mechanism
------------------
Some policies simply set values in the Windows registry. The value of this
key is a dict with the following make-up:
===== =====================================================================
Key Value
===== =====================================================================
Hive A string containing the Registry hive, such as ``HKEY_LOCAL_MACHINE``
Path A string containing the registry key path, such as
``SYSTEM\\CurrentControlSet\\Control\\Lsa``
Value A string containing the name of the registry value, such as
**restrictanonymous**
Type A string containing the registry type of the value, such as
``REG_DWORD``
===== =====================================================================
Secedit Mechanism
-----------------
Some policies are configurable via the "secedit.exe" executable. The value
of this key is a dict with the following make-up:
======= ===================================================================
Key Value
======= ===================================================================
Option A string containing the name of the policy as it appears in an
export from secedit, such as **PasswordComplexity**
Section A string containing the name of the section in which the "Option"
value appears in an export from ``secedit``, such as "System
Access"
======= ===================================================================
LsaRights Mechanism
-------------------
LSA Rights policies are configured via the LsaRights mechanism. The value of
this key is a dict with the following make-up:
====== ====================================================================
Key Value
====== ====================================================================
Option A string containing the programmatic name of the Lsa Right, such as
**SeNetworkLogonRight**
====== ====================================================================
NetUserModal Mechanism
----------------------
Some policies are configurable by the **NetUserModalGet** and
**NetUserModalSet** function from pywin32. The value of this key is a dict
with the following make-up:
====== ====================================================================
Key Value
====== ====================================================================
Modal The modal "level" that the particular option is specified in (0-3),
see `here <https://msdn.microsoft.com/en-us/library/windows/desktop/
aa370656(v=vs.85).aspx>`_
Option The name of the structure member which contains the data for the
policy, for example **max_passwd_age**
====== ====================================================================
NetSH Mechanism
---------------
The firewall policies are configured by the ``netsh.exe`` executable. The
value of this key is a dict with the following make-up:
======= ===================================================================
Key Value
======= ===================================================================
Profile The firewall profile to modify. Can be one of Domain, Private, or
Public
Section The section of the firewall to modify. Can be one of state,
firewallpolicy, settings, or logging.
Option The setting within that section
Value The value of the setting
======= ===================================================================
More information can be found in the advfirewall context in netsh. This can
be access by opening a netsh prompt. At a command prompt type the following:
c:\>netsh
netsh>advfirewall
netsh advfirewall>set help
netsh advfirewall>set domain help
AdvAudit Mechanism
------------------
The Advanced Audit Policies are configured using a combination of the
auditpol command-line utility and modifying the audit.csv file in two
locations. The value of this key is a dict with the following make-up:
====== ===================================
Key Value
====== ===================================
Option The Advanced Audit Policy to modify
====== ===================================
Transforms
----------
Optionally, each policy definition can contain a "Transform" key. The
Transform key is used to handle data that is stored and viewed differently.
This key's value is a dict with the following key/value pairs:
=== =======================================================================
Key Value
=== =======================================================================
Get The name of the class function to use to transform the data from the
stored value to how the value is displayed in the GUI
Put The name of the class function to use to transform the data supplied by
the user to the correct value that the policy is stored in
=== =======================================================================
For example, "Minimum password age" is stored in seconds, but is displayed
in days. Thus the "Get" and "Put" functions for this policy do these
conversions so the user is able to set and view the policy using the same
data that is shown in the GUI.
"""
def __init__(self):
self.audit_lookup = {
0: "No auditing",
1: "Success",
2: "Failure",
3: "Success, Failure",
"Not Defined": "Not Defined",
None: "Not Defined",
}
self.advanced_audit_lookup = {
0: "No Auditing",
1: "Success",
2: "Failure",
3: "Success and Failure",
None: "Not Configured",
}
self.sc_removal_lookup = {
"0": "No Action",
"1": "Lock Workstation",
"2": "Force Logoff",
"3": "Disconnect if a Remote Desktop Services session",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.uac_admin_prompt_lookup = {
0: "Elevate without prompting",
1: "Prompt for credentials on the secure desktop",
2: "Prompt for consent on the secure desktop",
3: "Prompt for credentials",
4: "Prompt for consent",
5: "Prompt for consent for non-Windows binaries",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.uac_user_prompt_lookup = {
0: "Automatically deny elevation requests",
1: "Prompt for credentials on the secure desktop",
3: "Prompt for credentials",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.enabled_one_disabled_zero = {
0: "Disabled",
1: "Enabled",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.enabled_one_disabled_zero_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.enabled_one_disabled_zero,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.enabled_one_disabled_zero,
"value_lookup": True,
},
}
self.s4u2self_options = {
0: "Default",
1: "Enabled",
2: "Disabled",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.audit_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {"lookup": self.audit_lookup, "value_lookup": False},
"PutArgs": {"lookup": self.audit_lookup, "value_lookup": True},
}
self.advanced_audit_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {"lookup": self.advanced_audit_lookup, "value_lookup": False},
"PutArgs": {"lookup": self.advanced_audit_lookup, "value_lookup": True},
}
self.enabled_one_disabled_zero_strings = {
"0": "Disabled",
"1": "Enabled",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.enabled_one_disabled_zero_strings_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.enabled_one_disabled_zero_strings,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.enabled_one_disabled_zero_strings,
"value_lookup": True,
},
}
self.security_options_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Local Policies",
"Security Options",
]
self.windows_firewall_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Windows Firewall with Advanced Security",
"Windows Firewall with Advanced Security - Local Group Policy Object",
]
self.password_policy_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Account Policies",
"Password Policy",
]
self.audit_policy_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Local Policies",
"Audit Policy",
]
self.advanced_audit_policy_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Advanced Audit Policy Configuration",
"System Audit Policies - Local Group Policy Object",
]
self.account_lockout_policy_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Account Policies",
"Account Lockout Policy",
]
self.user_rights_assignment_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Local Policies",
"User Rights Assignment",
]
self.block_ms_accounts = {
0: "This policy is disabled",
1: "Users can't add Microsoft accounts",
3: "Users can't add or log on with Microsoft accounts",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ldap_server_signing_requirements = {
1: "None",
2: "Require signing",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.smb_server_name_hardening_levels = {
0: "Off",
1: "Accept if provided by client",
2: "Required from client",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.locked_session_user_info = {
1: "User display name, domain and user names",
2: "User display name only",
3: "Do not display user information",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.force_guest = {
0: "Classic - local users authenticate as themselves",
1: "Guest only - local users authenticate as Guest",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.force_key_protection = {
0: "User input is not required when new keys are stored and used",
1: "User is prompted when the key is first used",
2: "User must enter a password each time they use a key",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.firewall_inbound_connections = {
"blockinbound": "Block (default)",
"blockinboundalways": "Block all connections",
"allowinbound": "Allow",
"notconfigured": "Not configured",
}
self.firewall_outbound_connections = {
"blockoutbound": "Block",
"allowoutbound": "Allow (default)",
"notconfigured": "Not configured",
}
self.firewall_rule_merging = {
"enable": "Yes (default)",
"disable": "No",
"notconfigured": "Not configured",
}
self.firewall_log_packets_connections = {
"enable": "Yes",
"disable": "No (default)",
"notconfigured": "Not configured",
}
self.firewall_notification = {
"enable": "Yes",
"disable": "No",
"notconfigured": "Not configured",
}
self.firewall_state = {
"on": "On (recommended)",
"off": "Off",
"notconfigured": "Not configured",
}
self.krb_encryption_types = {
0: "No minimum",
1: "DES_CBC_CRC",
2: "DES_CBD_MD5",
4: "RC4_HMAC_MD5",
8: "AES128_HMAC_SHA1",
16: "AES256_HMAC_SHA1",
2147483616: "Future Encryption Types",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.lm_compat_levels = {
0: "Send LM & NTLM response",
1: "Send LM & NTLM - use NTLMv2 session security if negotiated",
2: "Send NTLM response only",
3: "Send NTLMv2 response only",
4: "Send NTLMv2 response only. Refuse LM",
5: "Send NTLMv2 response only. Refuse LM & NTLM",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ldap_signing_reqs = {
0: "None",
1: "Negotiate signing",
2: "Require signing",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ntlm_session_security_levels = {
0: "No minimum",
524288: "Require NTLMv2 session security",
536870912: "Require 128-bit encryption",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ntlm_audit_settings = {
0: "Disable",
1: "Enable auditing for domain accounts",
2: "Enable auditing for all accounts",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ntlm_domain_audit_settings = {
0: "Disable",
1: "Enable for domain accounts to domain servers",
3: "Enable for domain accounts",
5: "Enable for domain servers",
7: "Enable all",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.incoming_ntlm_settings = {
0: "Allow all",
1: "Deny all domain accounts",
2: "Deny all accounts",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ntlm_domain_auth_settings = {
0: "Disable",
1: "Deny for domain accounts to domain servers",
3: "Deny for domain accounts",
5: "Deny for domain servers",
7: "Deny all",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.outgoing_ntlm_settings = {
0: "Allow all",
1: "Audit all",
2: "Deny all",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.enabled_one_disabled_zero_no_not_defined = {
0: "Disabled",
1: "Enabled",
}
self.enabled_one_disabled_zero_no_not_defined_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.enabled_one_disabled_zero_no_not_defined,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.enabled_one_disabled_zero_no_not_defined,
"value_lookup": True,
},
}
self.policies = {
"Machine": {
"lgpo_section": "Computer Configuration",
"policies": {
"StartupScripts": {
"Policy": "Startup Scripts",
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Startup",
],
"ScriptIni": {
"Section": "Startup",
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"scripts.ini",
),
},
},
"StartupPowershellScripts": {
"Policy": "Startup Powershell Scripts",
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Startup",
],
"ScriptIni": {
"Section": "Startup",
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"psscripts.ini",
),
},
},
"StartupPowershellScriptOrder": {
"Policy": (
"Startup - For this GPO, run scripts in the following order"
),
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Startup",
],
"ScriptIni": {
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"psscripts.ini",
),
"Section": "ScriptsConfig",
"SettingName": "StartExecutePSFirst",
"Settings": ["true", "false", None],
},
"Transform": {
"Get": "_powershell_script_order_conversion",
"Put": "_powershell_script_order_reverse_conversion",
},
},
"ShutdownScripts": {
"Policy": "Shutdown Scripts",
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Shutdown",
],
"ScriptIni": {
"Section": "Shutdown",
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"scripts.ini",
),
},
},
"ShutdownPowershellScripts": {
"Policy": "Shutdown Powershell Scripts",
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Shutdown",
],
"ScriptIni": {
"Section": "Shutdown",
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"psscripts.ini",
),
},
},
"ShutdownPowershellScriptOrder": {
"Policy": (
"Shutdown - For this GPO, run scripts in the "
"following order"
),
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Shutdown",
],
"ScriptIni": {
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"psscripts.ini",
),
"Section": "ScriptsConfig",
"SettingName": "EndExecutePSFirst",
"Settings": ["true", "false", None],
},
"Transform": {
"Get": "_powershell_script_order_conversion",
"Put": "_powershell_script_order_reverse_conversion",
},
},
"LSAAnonymousNameLookup": {
"Policy": (
"Network access: Allow anonymous SID/Name translation"
),
"lgpo_section": self.password_policy_gpedit_path,
"Settings": self.enabled_one_disabled_zero_no_not_defined.keys(),
"Secedit": {
"Option": "LSAAnonymousNameLookup",
"Section": "System Access",
},
"Transform": self.enabled_one_disabled_zero_no_not_defined_transform,
},
"RestrictAnonymousSam": {
"Policy": (
"Network access: Do not allow anonymous "
"enumeration of SAM accounts"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "RestrictAnonymousSam",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"RestrictRemoteSAM": {
"Policy": (
"Network access: Restrict clients allowed to "
"make remote calls to SAM"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "System\\CurrentControlSet\\Control\\Lsa",
"Value": "RestrictRemoteSAM",
"Type": "REG_SZ",
},
"Transform": {"Put": "_string_put_transform"},
},
"RestrictAnonymous": {
"Policy": (
"Network access: Do not allow anonymous "
"enumeration of SAM accounts and shares"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "RestrictAnonymous",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"DisableDomainCreds": {
"Policy": (
"Network access: Do not allow storage of "
"passwords and credentials for network "
"authentication"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "DisableDomainCreds",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"EveryoneIncludesAnonymous": {
"Policy": (
"Network access: Let Everyone permissions "
"apply to anonymous users"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "everyoneincludesanonymous",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"NullSessionPipes": {
"Policy": (
"Network access: Named Pipes that can be "
"accessed anonymously"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "NullSessionPipes",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"RemoteRegistryExactPaths": {
"Policy": "Network access: Remotely accessible registry paths",
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Control\\"
"SecurePipeServers\\winreg\\"
"AllowedExactPaths"
),
"Value": "Machine",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"RemoteRegistryPaths": {
"Policy": (
"Network access: Remotely accessible "
"registry paths and sub-paths"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Control\\"
"SecurePipeServers\\winreg\\AllowedPaths"
),
"Value": "Machine",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"RestrictNullSessAccess": {
"Policy": (
"Network access: Restrict anonymous access "
"to Named Pipes and Shares"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "RestrictNullSessAccess",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"NullSessionShares": {
"Policy": (
"Network access: Shares that can be accessed anonymously"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "NullSessionShares",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"ForceGuest": {
"Policy": (
"Network access: Sharing and security model "
"for local accounts"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.force_guest.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "ForceGuest",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.force_guest,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.force_guest,
"value_lookup": True,
},
},
},
"WfwDomainState": {
"Policy": "Network firewall: Domain: State",
"lgpo_section": self.windows_firewall_gpedit_path,