Managing Security Settings on Nano Server with DSC

We have released DSC resources building upon the previously released security and registry cmdlets for applying security settings. You can now implement Microsoft-defined security baselines using DSC.

AuditPolicyDsc

SecurityPolicyDsc

GPRegistryPolicy

Install all 3 from the Gallery with the command:

install-module SecurityPolicyDsc, AuditPolicyDsc, GpRegistryPolicy 

A sample configuration, below, takes the Security Baselines for Windows Server 2016 and extracts the .inf, .csv and .pol containing the desired security settings from the exported Group Policy Objects. (You can find information on extracting the necessary files in the Registry cmdlets blogpost.) Simply pass the files into the new DSC resources, and you have successfully implemented security baselines using DSC!

This is most useful for Nano Server, since Nano Server doesn’t support Group Policy. However, this approach will work for all installation options. It’s not a good idea to manage the same server using both Group Policy and DSC since the two engines will constantly attempt to overwrite each other if they are both managing the same setting.

WARNING: As with all security settings, you can easily lock yourself out of remote access to your machine if you are not careful. Be sure to carefully review security settings before applying them to Nano Server, and stage test deployments before using security baselines in production!

Configuration SecurityBaseline
{
    Import-DscResource -ModuleName AuditPolicyDsc, SecurityPolicyDSC, GpRegistryPolicy
    node localhost
    {
        SecurityTemplate baselineInf
        {
            Path = "C:\Users\Administrator\Documents\GptTmpl.inf"
            # https://msdn.microsoft.com/powershell/dsc/singleinstance
            IsSingleInstance = "Yes"
        }
        AuditPolicyCsv baselineCsv
        {
            IsSingleInstance = "Yes"
            CsvPath = "C:\Users\Administrator\Documents\audit.csv"
        }
        RegistryPolicy baselineGpo
        {
            Path = "C:\Users\Administrator\Documents\registry.pol"
        }
    }
}
#Compile the MOF file
SecurityBaseline 
Start-DscConfiguration -Path ./SecurityBaseline