These Windows Server hardening Chef recipes forked from MattTunny/windows_hardening repository differ from the original in being compatible with chef-apply, converted by wandersick as inspired by readers' feedback of his blog post, Quick Windows Hardening with Infrastructure-as-Code – Chef and Inspec. For details, please refer to the Performing Hardening section of the blog post.
A test run has been performed with the results logged and documented here.
List of files:
windows_hardening
│ LICENSE
│ metadata.rb
│ README.md
│ TESTRUN.md
│
├───files
│ audit_settings.csv
│ localComputer.inf
│ windows_update.ps1
│
├───recipes
│ ciphers.rb
│ core_hardening.rb
│ deleteautologon.rb
│ enable_firewall.rb
│ enable_winrm.rb
│ harden_ntlm.rb
│ harden_winrm.rb
│ schedule_task_update.rb
│ windowsupdate.rb
│
└───test
└───integration
└───default
default_spec.rb
If unmodified, the script should be stored and run under c:\temp\windows_hardening where:
C:\temp\windows_hardening\recipescontains recipes such ascore_hardening.rbC:\temp\windows_hardening\test\integration\defaultcontainsinspectests, i.e.default_spec.rbC:\temp\windows_hardening\filescontains supplementary files, i.e.audit_settings.csv,localComputer.infandwindows_update.ps1- Also, temporary file
tempexport.infwould be generated underC:\temp\wheninspec(test) is run, andsecedit.sdb(alsosecedit.jfm) inC:\temp\windows_hardening\fileswhenchef-applyis run. Be sure to have write permission in those directories
If the script is run from another location, the hard-coded paths in the recipes (i.e. the above entries involving temp folder under C:\) should be modified.
For recipe-specific instructions, refer to comments in each recipe file.
For the original README.md content, refer to MattTunny/windows_hardening
Note: The commands in the original README.md there are unsuitable if you follow the blog post which is compatible with chef-apply