Skip to content

Latest commit

 

History

History
213 lines (144 loc) · 7.49 KB

File metadata and controls

213 lines (144 loc) · 7.49 KB

Maintained License: MIT

Table of Contents


Introduction

This is the XOAP PowerShell DSC configuration repository.

It is part of our XOAP Automation Forces Open Source community library to give you a quick start into Infrastructure as Code deployments with PowerShell DSC in addition to config.XO.

Please check the links for more info, including usage information and full documentation:

This repository hosts some of the most common DSC configurations that we use in our projects.

You will find the following DSC configurations in this repository:

  • Citrix infrastructure and Citrix optimizer configurations
  • DoD STIG configurations
  • general Windows configurations
  • Microsoft security baseline configurations

Disclaimer

All configurations are provided AS IS. We are not responsible for anything that happens inside your environment because you applied the configurations and did not test them thoroughly before doing so.

Be sure to always test any of those configurations in separated test environment and test clients and servers.

Some of the available DSC configurations make severe changes to security-related configurations and could leave your Windows operating system in an unusable state.

So please test once, twice or trice.


Guidelines

We are using the following guidelines to write code and make it easier for everyone to follow a distinctive guideline. Please check these links before starting to work on changes.

Contributor Covenant

Git Naming Conventions are an important part of the development process. They describe how Branches, Commit Messages, Pull Requests and Tags should look like to make them easily understandable for everybody in the development chain.

Git Naming Conventions

He Conventional Commits specification is a lightweight convention on top of commit messages. It provides an easy set of rules for creating an explicit commit history; which makes it easier to write automated tools on top of.

Conventional Commits

The better a Pull Request description is, the better a review can understand and decide on how to review the changes. This improves implementation speed and reduces communication between the requester, and the reviewer is resulting in much less overhead.

Writing A Great Pull Request Description

Versioning is a crucial part for Terraform Stacks and Modules. Without version tags you cannot clearly create a stable environment and be sure that your latest changes will not crash your production environment (sure it still can happen, but we are trying our best to implement everything that we can to reduce the risk)

Semantic Versioning


Share the Love

Like this project? Please give it a ★ on our GitHub! It helps us a lot.


Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Developing

If you are interested in being a contributor and want to get involved in developing this project, we would love to hear from you! Email us.

PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

  • Fork the repo on GitHub
  • Clone the project to your own machine
  • Commit changes to your own branch
  • Push your work back up to your fork
  • Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!


Usage

Local usage

On most supported Windows versions, you do not have to do anything. On windows versions prior to Windows Server 2016 or Windows 10, you should install Windows Management Framework 5.1. You can download it here.

Compile and Apply

A typical DSC configuration looks like this:

Configuration 'MSTF_SecurityBaseline_Edge_v107_Computer'
{

	Import-DSCResource -ModuleName 'GPRegistryPolicyDsc' -ModuleVersion '1.2.0'

	Node 'MSTF_SecurityBaseline_Edge_v107_Computer'
	{
         RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\Edge\SitePerProcess'
         {
              ValueName = 'SitePerProcess'
              ValueData = 1
              ValueType = 'Dword'
              TargetType = 'ComputerConfiguration'
              Key = 'HKLM:\Software\Policies\Microsoft\Edge'
         }
    }
}
MSTF_SecurityBaseline_Edge_v107_Computer -OutputPath 'C:\MSTF_SecurityBaseline_Edge_v107_Computer'

In order to compile this example, you need to take care that all the referenced DSC modules are available locally.

You can check availability with:

Get-DcsResource

If DSC modules are missing, you can install them simply by e.g. running:

Install-Module SecurityPolicyDSC

It could be that you need to install PowerShellGet and the NuGet provider, and that you have to trust the PSGallery to be able to install the DSC modules.

Please be aware that this is the most basic example. We advise to always define the module versions in production environments before compiling them and to implement a versioning system to track changes to those DSC configurations. Not defining versions could lead to compiling errors because of functional changes between module versions.

Defining the versions of the modules could look like this:

Configuration 'MSTF_SecurityBaseline_Edge_v107_Computer'
{

	Import-DSCResource -ModuleName 'GPRegistryPolicyDsc' -ModuleVersion '1.2.0' -ModuleVersion '1.2.0'

	Node 'MSTF_SecurityBaseline_Edge_v107_Computer'
	{
         RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\Edge\SitePerProcess'
         {
              ValueName = 'SitePerProcess'
              ValueData = 1
              ValueType = 'Dword'
              TargetType = 'ComputerConfiguration'
              Key = 'HKLM:\Software\Policies\Microsoft\Edge'
         }
    }
}

So now that all DSC modules are available and the module versions are defined, you need to run the following command in your Powershell to compile it locally:

. PATHTOYOURSCRIPT\MSTF_SecurityBaseline_Edge_v107_Computer.ps1
MSTF_SecurityBaseline_Edge_v107_Computer

You should now have a localhost.mof file in this location.

The last step is to apply this configuration to your local host:

Start-DscConfiguration -Path PATHTOYOURCONFIGURATION\MSTF_SecurityBaseline_Edge_v107_Computer -Verbose -Wait

Please be sure to run all of these commands in PowerShell 5.1


Usage in XOAP and config.XO

Refer to our documentation here