cookbook 'windows-hardening', '~> 0.9.1'
windows-hardening (5) Versions 0.9.1 Follow9
Hardening cookbook for Windows 2012 R2
cookbook 'windows-hardening', '~> 0.9.1', :supermarket
knife supermarket install windows-hardening
knife supermarket download windows-hardening
windows-hardening (Chef Cookbook)
This cookbook provides recipes for ensuring that a Windows 2012 R2 system is compliant with the DevSec Windows Baseline.
Platforms
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2016 Nano Server
Roadmap
This cookbook aims to be the go-to-resource to implement hardening for Windows environments. In order to achieve that plan to cover the requirements of
- CIS Windows 2012R2
- CIS Windows 2016
- STIG Windows 2012R2
Any contributions to achieve that are welcome!
Coding guidelines
Use Chef resources wherever possible. Some Chef resources we use to manage Windows:
If no Chef resource is available, we prefer to use Powershell or Powershell DSC.
Testing the cookbook
Test-Kitchen
This cookbooks ships with a test-kitchen setup to verify that the implementation follows the DevSec Windows Baseline:
kitchen test
Chef Server and Chef Compliance
If you use Chef Server, you can bootstrap a node and run a Chef Compliance against them it. It is recommended to use an EC2 instance in a Chef environment, made up of a Chef Server and a Compliance Server. The following command can be used for bootstrapping a node.
knife ec2 server create --node-name windows-test --flavor t2.medium --image ami-29eb7e5a --security-group-ids sg-238e5744 --user-data win-userdata.ps1 --winrm-user Administrator --winrm-password Ch4ng3m3 --ssh-key emea-sa-shared -r 'recipe[base-win2012-hardening::enable_winrm_access]'
Please note the following:
* To bootstrap a Windows node using Knife you need a predictable password. The win-userdata.ps1
file, in this repo, provides this.
* You need a security group that allows winrm access and RDP access.
* We set a run-list. The enable_winrm_access
recipe prepares the node for a manual Compliance scan.
Applying at scale
This cookbook is currently in development. It does not cover all requirements to provide a fully hardened Windows environment yet. Any contributions are welcome to improve the cookbook. If you wish to apply this at scale, use a role and add the cookbook to its runlist, there is no need to apply a specific recipe.
Contributors + Kudos
- Dominik Richter arlimus
- Christoph Hartmann chris-rock
- Simon Fisher simfish85
- Alex Pop alexpop
- Yvo Van Doorn yvovandoorn
- Matthew Tunny MattTunny
Contributing
See [contributor guideline](CONTRIBUTING.md).
License and Author
- Author:: Joe Gardiner joe@grdnr.io joe@chef.io
- Author:: Christoph Hartmann chris@lollyrock.com chris@lollyrock.com
- Author:: Chef Software Ltd
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
windows-security-policy >= 0.0.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
Change Log
v0.9.0 (2017-05-15)
Closed issues:
- Add Windows 2016 support #21
- Platform support #20
- add inspec tests to appveyor test #14
- Make Readme better #3
Merged pull requests:
- use https for ca download in appveyor #28 (chris-rock)
- Add disabling of SMB1 to hardening cookbook #27 (yvovandoorn)
- windows nano support #24 (chris-rock)
- add windows 2016 to vagrant #23 (chris-rock)
- Privacy settings #22 (MattTunny)
- Added case platform windows #19 (grdnrio)
- added powershell hardening #18 (MattTunny)
v0.8.0 (2017-03-16)
Implemented enhancements:
- Rename recipes to be component-oriented #9
Merged pull requests:
- use security policy cookbook #16 (chris-rock)
- rename recipes and clean comments #15 (chris-rock)
v0.7.2 (2017-03-11)
Merged pull requests:
- execute cookbook in appveyor #13 (chris-rock)
- update typo in metadata #12 (chris-rock)
v0.7.1 (2017-02-28)
Implemented enhancements:
- update readme #10 (chris-rock)
Closed issues:
- A fix windows-audit-205 looks missing #8
Merged pull requests:
- Joeg/password #7 (grdnrio)
- Updated recipe structure to match windows hardening benchmark here ht… #6 (grdnrio)
- Added Windows testing and sanitised kitchen.yml #5 (grdnrio)
- Useful README file #4 (grdnrio)
- Refactor recipe names for Rubocop #2 (grdnrio)
- Rubcop scan and config to pass #1 (grdnrio)
* This Change Log was automatically generated by github_changelog_generator
Collaborator Number Metric
0.9.1 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
0.9.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.9.1 passed this metric
No Binaries Metric
0.9.1 passed this metric
Testing File Metric
0.9.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.9.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.9.1 failed this metric
0.9.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.9.1 passed this metric
No Binaries Metric
0.9.1 passed this metric
Testing File Metric
0.9.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.9.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.9.1 passed this metric
0.9.1 passed this metric
Testing File Metric
0.9.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.9.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.9.1 failed this metric
0.9.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number