Skip to content

chef/chef-windows-hardening

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

65 Commits

attributes

attributes

 
 

recipes

recipes

 
 

resources

resources

 
 

spec

spec

 
 

test/integration/default/inspec

test/integration/default/inspec

 
 

.gitignore

.gitignore

 
 

.kitchen.appveyor.yml

.kitchen.appveyor.yml

 
 

.kitchen.yml

.kitchen.yml

 
 

.rubocop.yml

.rubocop.yml

 
 

Berksfile

Berksfile

 
 

CHANGELOG.md

CHANGELOG.md

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

Gemfile

Gemfile

 
 

README.md

README.md

 
 

Rakefile

Rakefile

 
 

appveyor.yml

appveyor.yml

 
 

chefignore

chefignore

 
 

metadata.rb

metadata.rb

 
 

win-userdata.ps1

win-userdata.ps1

 
 

Repository files navigation

windows-hardening (Chef Cookbook)

This cookbook provides recipes for ensuring that a Windows 2012 R2 system is compliant with the DevSec Windows Baseline.

Platforms

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2016 Nano Server

Roadmap

This cookbook aims to be the go-to-resource to implement hardening for Windows environments. In order to achieve that plan to cover the requirements of

  • CIS Windows 2012R2
  • CIS Windows 2016
  • STIG Windows 2012R2

Any contributions to achieve that are welcome!

Coding guidelines

Use Chef resources wherever possible. Some Chef resources we use to manage Windows:

If no Chef resource is available, we prefer to use Powershell or Powershell DSC.

Testing the cookbook

Test-Kitchen

This cookbooks ships with a test-kitchen setup to verify that the implementation follows the DevSec Windows Baseline:

kitchen test

Chef Server and Chef Compliance

If you use Chef Server, you can bootstrap a node and run a Chef Compliance against them it. It is recommended to use an EC2 instance in a Chef environment, made up of a Chef Server and a Compliance Server. The following command can be used for bootstrapping a node.

knife ec2 server create --node-name windows-test --flavor t2.medium --image ami-29eb7e5a --security-group-ids sg-238e5744 --user-data win-userdata.ps1 --winrm-user Administrator --winrm-password Ch4ng3m3 --ssh-key emea-sa-shared -r 'recipe[base-win2012-hardening::enable_winrm_access]'

Please note the following:

  • To bootstrap a Windows node using Knife you need a predictable password. The win-userdata.ps1 file, in this repo, provides this.
  • You need a security group that allows winrm access and RDP access.
  • We set a run-list. The enable_winrm_access recipe prepares the node for a manual Compliance scan.

Applying at scale

This cookbook is currently in development. It does not cover all requirements to provide a fully hardened Windows environment yet. Any contributions are welcome to improve the cookbook. If you wish to apply this at scale, use a role and add the cookbook to its runlist, there is no need to apply a specific recipe.

Contributors + Kudos

Contributing

See contributor guideline.

License and Author

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

This chef cookbook provides windows hardening configurations for the DevSec Windows baseline profile.

dev-sec.io

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

19 watching

Forks

1 fork
Report repository

Releases

4 tags

Packages

No packages published

Languages

  • Ruby 93.9%
  • PowerShell 6.1%