I am not a DSC (Desired State Configuration) expert, however, the technology has always interested me and as such, something I like to dabble in it.
There are many reasons for using PowerShell DSC and hopefully today, I can help enlighten you towards some of its use. DSC can be used for things such as:
Installing IIS and other Windows Features – and making sure they are installed!
Installing Apache – Yes – even on Linux!
Installing scripts and executables
There are other examples, but essentially Microsoft has some good documentation around it.
Enough about what is PowerShell DSC, one of the benefits of DSC is that you can use them to set and maintain a certain configuration – one of the good use of this is hardening.
Using the Windows Server 2016 and Windows 10 ADMX templates hosted on the IASE (Information Assurance Support Environment) webpage and the gpoguy ADMXToDSC script I was able to turn the IASE compliant GPOs into DSC files which are a good building block for hardening.
Note: I take no responsibility for any damage incurred and definitely recommend testing and validating before running this in Production.
The rough guide of the process to replicate this is as follows:
On a Windows Server 2012 R2 Server (part of an AD Domain) with Group Policy Management console installed, create a new GPO called ‘WindowsServer2016’
Right-click the GPO and select Import Settings
Follow the prompts and import from the folder, where you had extracted the ADMX templates to and import the settings for the GPO you want to turn into a DSC script
Once completed run the ADMXtoDSC script, parameters include the GPO name and output path.
Once done, essentially you have now created a good baseline for Windows Server or Windows Desktop hardening desired state configuration.
The ones I created are below:
Windows Server 2016
Note: I added the telnet-client and SMB1 Windows Features to make sure that these are disabled as part of the hardening and you can easily add anything else as suited to your requirements.
Note: The Scripts is also hosted on my Github repository. Feel free to clone/recommend improvements or fork.
Once you have your DSC scripts you can run them locally on the server by running the following as Administrator in PowerShell:
Or alternatively use Microsoft Azure Automation to set the desired state configuration baseline, apply and maintain the changes going forward.