Mini Shell
"""
Manage Local Policy on Windows
This module allows configuring local group policy (i.e. ``gpedit.msc``) on a
Windows machine.
.. versionadded:: 2016.11.0
.. warning::
Local Group Policy will always be superseded by Domain Group policy. If
policies are configured with Local Group Policy that are also configured
with Domain Group policy, the Domain Group policy will take precedence.
Administrative Templates
========================
Administrative template policies are dynamically read from ADMX/ADML files on
the server.
Windows Settings
================
Policies contained in the "Windows Settings" section of the ``gpedit.msc`` GUI
are statically defined in this module. Each policy is configured for the section
(Machine/User) in the module's _policy_info class. The ``_policy_info`` class
contains a "policies" dict on how the module will configure the policy, where
the policy resides in the GUI (for display purposes), data validation data, data
transformation data, etc.
Current known limitations
=========================
- At this time, start/shutdown scripts policies are displayed, but are not
configurable.
- Not all "Security Settings" policies exist in the _policy_info class
:depends:
- pywin32 Python module
- lxml
- uuid
- struct
- salt.utils.win_reg
"""
import csv
import ctypes
import glob
import io
import locale
import logging
import os
import re
import tempfile
import time
import uuid
import zlib
import salt.utils.dictupdate as dictupdate
import salt.utils.files
import salt.utils.path
import salt.utils.platform
import salt.utils.stringutils
import salt.utils.win_lgpo_netsh
from salt.exceptions import CommandExecutionError, SaltInvocationError
from salt.serializers.configparser import deserialize
from salt.utils.win_lgpo_reg import (
CLASS_INFO,
REG_POL_HEADER,
read_reg_pol_file,
search_reg_pol,
write_reg_pol_data,
)
log = logging.getLogger(__name__)
__virtualname__ = "lgpo"
__func_alias__ = {"set_": "set"}
UUID = uuid.uuid4().hex
adm_policy_name_map = {True: {}, False: {}}
HAS_WINDOWS_MODULES = False
# define some global XPATH variables that we'll set assuming all our imports are
# good
TRUE_VALUE_XPATH = None
FALSE_VALUE_XPATH = None
ELEMENTS_XPATH = None
ENABLED_VALUE_XPATH = None
DISABLED_VALUE_XPATH = None
ENABLED_LIST_XPATH = None
DISABLED_LIST_XPATH = None
VALUE_XPATH = None
TRUE_LIST_XPATH = None
FALSE_LIST_XPATH = None
REGKEY_XPATH = None
POLICY_ANCESTOR_XPATH = None
ALL_CLASS_POLICY_XPATH = None
ADML_DISPLAY_NAME_XPATH = None
VALUE_LIST_XPATH = None
ENUM_ITEM_DISPLAY_NAME_XPATH = None
ADMX_SEARCH_XPATH = None
ADML_SEARCH_XPATH = None
ADMX_DISPLAYNAME_SEARCH_XPATH = None
PRESENTATION_ANCESTOR_XPATH = None
TEXT_ELEMENT_XPATH = None
try:
import struct
import lxml
import win32net
import win32security
from lxml import etree
from salt.utils.win_reg import Registry
HAS_WINDOWS_MODULES = True
TRUE_VALUE_XPATH = etree.XPath('.//*[local-name() = "trueValue"]')
FALSE_VALUE_XPATH = etree.XPath('.//*[local-name() = "falseValue"]')
ELEMENTS_XPATH = etree.XPath('.//*[local-name() = "elements"]')
ENABLED_VALUE_XPATH = etree.XPath('.//*[local-name() = "enabledValue"]')
DISABLED_VALUE_XPATH = etree.XPath('.//*[local-name() = "disabledValue"]')
ENABLED_LIST_XPATH = etree.XPath('.//*[local-name() = "enabledList"]')
DISABLED_LIST_XPATH = etree.XPath('.//*[local-name() = "disabledList"]')
VALUE_XPATH = etree.XPath('.//*[local-name() = "value"]')
TRUE_LIST_XPATH = etree.XPath('.//*[local-name() = "trueList"]')
FALSE_LIST_XPATH = etree.XPath('.//*[local-name() = "falseList"]')
REGKEY_XPATH = etree.XPath("//*[@key = $keyvalue]")
POLICY_ANCESTOR_XPATH = etree.XPath('ancestor::*[local-name() = "policy"]')
ALL_CLASS_POLICY_XPATH = etree.XPath(
'//*[local-name() = "policy" and (@*[local-name() = "class"] = "Both" or'
' @*[local-name() = "class"] = $registry_class)]'
)
ADML_DISPLAY_NAME_XPATH = etree.XPath(
'//*[local-name() = $displayNameType and @*[local-name() = "id"] ='
" $displayNameId]"
)
VALUE_LIST_XPATH = etree.XPath('.//*[local-name() = "valueList"]')
ENUM_ITEM_DISPLAY_NAME_XPATH = etree.XPath(
'.//*[local-name() = "item" and @*[local-name() = "displayName" ='
" $display_name]]"
)
ADMX_SEARCH_XPATH = etree.XPath(
'//*[local-name() = "policy" and @*[local-name() = "name"] = $policy_name and'
' (@*[local-name() = "class"] = "Both" or @*[local-name() = "class"] ='
" $registry_class)]"
)
ADML_SEARCH_XPATH = etree.XPath(
'//*[starts-with(text(), $policy_name) and @*[local-name() = "id"]]'
)
ADMX_DISPLAYNAME_SEARCH_XPATH = etree.XPath(
'//*[local-name() = "policy" and @*[local-name() = "displayName"] ='
' $display_name and (@*[local-name() = "class"] = "Both" or @*[local-name() ='
' "class"] = $registry_class) ]'
)
PRESENTATION_ANCESTOR_XPATH = etree.XPath(
'ancestor::*[local-name() = "presentation"]'
)
TEXT_ELEMENT_XPATH = etree.XPath('.//*[local-name() = "text"]')
# Get the System Install Language
# https://msdn.microsoft.com/en-us/library/dd318123(VS.85).aspx
# local.windows_locale is a dict
# GetSystemDefaultUILanguage() returns a 4 digit language code that
# corresponds to an entry in the dict
# Not available in win32api, so we have to use ctypes
# Default to `en-US` (1033)
windll = ctypes.windll.kernel32
INSTALL_LANGUAGE = locale.windows_locale.get(
windll.GetSystemDefaultUILanguage(), "en_US"
).replace("_", "-")
except ImportError:
HAS_WINDOWS_MODULES = False
class _policy_info:
r"""
Policy Helper Class
===================
The format of the policy dict is as follows:
The top most two key/value pairs in the dict divide the policies object into
the two sections of local group policy, using the keys "Machine" and "User".
The value make-up of these dicts are described below in "Policy Section
Definition"
Policy Section Definition
-------------------------
A policy section dict has two required key/value pairs:
============ ==============================================================
Key
============ ==============================================================
lgpo_section String matching how the policy section is displayed in the mmc
snap-in ("Computer Configuration" for "Machine" and "User
Configuration" for "User")
policies a dict containing the non-Administrative template policy
definitions, the key for each item is a short/unique
identifier for the policy, the value is described below in
"Policies Definition"
============ ==============================================================
Policies Definition
-------------------
A policies definition item describes the particular policy. There are three
child key/value pairs shared with all policy types:
============ ==============================================================
Key Value
============ ==============================================================
lgpo_section A list containing the hierarchical path to the policy in the
gpedit mmc snap-in.
Policy A string containing the name of the policy in the gpedit mmc
snap-in
Settings An object which describes valid settings for the policy. This
can be None for no validation, a list of possible settings, or
a dict with the following key/value pairs:
- **Function:** The class function to use to validate the
setting
- **Args:** A dict of kwargs to pass to the class function
============ ==============================================================
Additionally, each policies definition will contain a key/value pair that
defines the mechanism that will be used to configure the policy. The
available mechanisms are: NetUserModal, Registry, Secedit, and LsaRights
Registry Mechanism
------------------
Some policies simply set values in the Windows registry. The value of this
key is a dict with the following make-up:
===== =====================================================================
Key Value
===== =====================================================================
Hive A string containing the Registry hive, such as ``HKEY_LOCAL_MACHINE``
Path A string containing the registry key path, such as
``SYSTEM\\CurrentControlSet\\Control\\Lsa``
Value A string containing the name of the registry value, such as
**restrictanonymous**
Type A string containing the registry type of the value, such as
``REG_DWORD``
===== =====================================================================
Secedit Mechanism
-----------------
Some policies are configurable via the "secedit.exe" executable. The value
of this key is a dict with the following make-up:
======= ===================================================================
Key Value
======= ===================================================================
Option A string containing the name of the policy as it appears in an
export from secedit, such as **PasswordComplexity**
Section A string containing the name of the section in which the "Option"
value appears in an export from ``secedit``, such as "System
Access"
======= ===================================================================
LsaRights Mechanism
-------------------
LSA Rights policies are configured via the LsaRights mechanism. The value of
this key is a dict with the following make-up:
====== ====================================================================
Key Value
====== ====================================================================
Option A string containing the programmatic name of the Lsa Right, such as
**SeNetworkLogonRight**
====== ====================================================================
NetUserModal Mechanism
----------------------
Some policies are configurable by the **NetUserModalGet** and
**NetUserModalSet** function from pywin32. The value of this key is a dict
with the following make-up:
====== ====================================================================
Key Value
====== ====================================================================
Modal The modal "level" that the particular option is specified in (0-3),
see `here <https://msdn.microsoft.com/en-us/library/windows/desktop/
aa370656(v=vs.85).aspx>`_
Option The name of the structure member which contains the data for the
policy, for example **max_passwd_age**
====== ====================================================================
NetSH Mechanism
---------------
The firewall policies are configured by the ``netsh.exe`` executable. The
value of this key is a dict with the following make-up:
======= ===================================================================
Key Value
======= ===================================================================
Profile The firewall profile to modify. Can be one of Domain, Private, or
Public
Section The section of the firewall to modify. Can be one of state,
firewallpolicy, settings, or logging.
Option The setting within that section
Value The value of the setting
======= ===================================================================
More information can be found in the advfirewall context in netsh. This can
be access by opening a netsh prompt. At a command prompt type the following:
c:\>netsh
netsh>advfirewall
netsh advfirewall>set help
netsh advfirewall>set domain help
AdvAudit Mechanism
------------------
The Advanced Audit Policies are configured using a combination of the
auditpol command-line utility and modifying the audit.csv file in two
locations. The value of this key is a dict with the following make-up:
====== ===================================
Key Value
====== ===================================
Option The Advanced Audit Policy to modify
====== ===================================
Transforms
----------
Optionally, each policy definition can contain a "Transform" key. The
Transform key is used to handle data that is stored and viewed differently.
This key's value is a dict with the following key/value pairs:
=== =======================================================================
Key Value
=== =======================================================================
Get The name of the class function to use to transform the data from the
stored value to how the value is displayed in the GUI
Put The name of the class function to use to transform the data supplied by
the user to the correct value that the policy is stored in
=== =======================================================================
For example, "Minimum password age" is stored in seconds, but is displayed
in days. Thus the "Get" and "Put" functions for this policy do these
conversions so the user is able to set and view the policy using the same
data that is shown in the GUI.
"""
def __init__(self):
self.audit_lookup = {
0: "No auditing",
1: "Success",
2: "Failure",
3: "Success, Failure",
"Not Defined": "Not Defined",
None: "Not Defined",
}
self.advanced_audit_lookup = {
0: "No Auditing",
1: "Success",
2: "Failure",
3: "Success and Failure",
None: "Not Configured",
}
self.sc_removal_lookup = {
"0": "No Action",
"1": "Lock Workstation",
"2": "Force Logoff",
"3": "Disconnect if a Remote Desktop Services session",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.uac_admin_prompt_lookup = {
0: "Elevate without prompting",
1: "Prompt for credentials on the secure desktop",
2: "Prompt for consent on the secure desktop",
3: "Prompt for credentials",
4: "Prompt for consent",
5: "Prompt for consent for non-Windows binaries",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.uac_user_prompt_lookup = {
0: "Automatically deny elevation requests",
1: "Prompt for credentials on the secure desktop",
3: "Prompt for credentials",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.enabled_one_disabled_zero = {
0: "Disabled",
1: "Enabled",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.enabled_one_disabled_zero_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.enabled_one_disabled_zero,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.enabled_one_disabled_zero,
"value_lookup": True,
},
}
self.s4u2self_options = {
0: "Default",
1: "Enabled",
2: "Disabled",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.audit_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {"lookup": self.audit_lookup, "value_lookup": False},
"PutArgs": {"lookup": self.audit_lookup, "value_lookup": True},
}
self.advanced_audit_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {"lookup": self.advanced_audit_lookup, "value_lookup": False},
"PutArgs": {"lookup": self.advanced_audit_lookup, "value_lookup": True},
}
self.enabled_one_disabled_zero_strings = {
"0": "Disabled",
"1": "Enabled",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.enabled_one_disabled_zero_strings_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.enabled_one_disabled_zero_strings,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.enabled_one_disabled_zero_strings,
"value_lookup": True,
},
}
self.security_options_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Local Policies",
"Security Options",
]
self.windows_firewall_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Windows Firewall with Advanced Security",
"Windows Firewall with Advanced Security - Local Group Policy Object",
]
self.password_policy_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Account Policies",
"Password Policy",
]
self.audit_policy_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Local Policies",
"Audit Policy",
]
self.advanced_audit_policy_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Advanced Audit Policy Configuration",
"System Audit Policies - Local Group Policy Object",
]
self.account_lockout_policy_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Account Policies",
"Account Lockout Policy",
]
self.user_rights_assignment_gpedit_path = [
"Computer Configuration",
"Windows Settings",
"Security Settings",
"Local Policies",
"User Rights Assignment",
]
self.block_ms_accounts = {
0: "This policy is disabled",
1: "Users can't add Microsoft accounts",
3: "Users can't add or log on with Microsoft accounts",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ldap_server_binding_token_requirements = {
0: "Never",
1: "When supported",
2: "Always",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ldap_server_signing_requirements = {
1: "None",
2: "Require signing",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.smb_server_name_hardening_levels = {
0: "Off",
1: "Accept if provided by client",
2: "Required from client",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.locked_session_user_info = {
1: "User display name, domain and user names",
2: "User display name only",
3: "Do not display user information",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.force_guest = {
0: "Classic - local users authenticate as themselves",
1: "Guest only - local users authenticate as Guest",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.force_key_protection = {
0: "User input is not required when new keys are stored and used",
1: "User is prompted when the key is first used",
2: "User must enter a password each time they use a key",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.firewall_inbound_connections = {
"blockinbound": "Block (default)",
"blockinboundalways": "Block all connections",
"allowinbound": "Allow",
"notconfigured": "Not configured",
}
self.firewall_outbound_connections = {
"blockoutbound": "Block",
"allowoutbound": "Allow (default)",
"notconfigured": "Not configured",
}
self.firewall_rule_merging = {
"enable": "Yes (default)",
"disable": "No",
"notconfigured": "Not configured",
}
self.firewall_log_packets_connections = {
"enable": "Yes",
"disable": "No (default)",
"notconfigured": "Not configured",
}
self.firewall_notification = {
"enable": "Yes",
"disable": "No",
"notconfigured": "Not configured",
}
self.firewall_state = {
"on": "On (recommended)",
"off": "Off",
"notconfigured": "Not configured",
}
self.krb_encryption_types = {
0: "No minimum",
1: "DES_CBC_CRC",
2: "DES_CBD_MD5",
4: "RC4_HMAC_MD5",
8: "AES128_HMAC_SHA1",
16: "AES256_HMAC_SHA1",
2147483616: "Future Encryption Types",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.lm_compat_levels = {
0: "Send LM & NTLM response",
1: "Send LM & NTLM - use NTLMv2 session security if negotiated",
2: "Send NTLM response only",
3: "Send NTLMv2 response only",
4: "Send NTLMv2 response only. Refuse LM",
5: "Send NTLMv2 response only. Refuse LM & NTLM",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ldap_signing_reqs = {
0: "None",
1: "Negotiate signing",
2: "Require signing",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ntlm_session_security_levels = {
0: "No minimum",
524288: "Require NTLMv2 session security",
536870912: "Require 128-bit encryption",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ntlm_audit_settings = {
0: "Disable",
1: "Enable auditing for domain accounts",
2: "Enable auditing for all accounts",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ntlm_domain_audit_settings = {
0: "Disable",
1: "Enable for domain accounts to domain servers",
3: "Enable for domain accounts",
5: "Enable for domain servers",
7: "Enable all",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.incoming_ntlm_settings = {
0: "Allow all",
1: "Deny all domain accounts",
2: "Deny all accounts",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.ntlm_domain_auth_settings = {
0: "Disable",
1: "Deny for domain accounts to domain servers",
3: "Deny for domain accounts",
5: "Deny for domain servers",
7: "Deny all",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.outgoing_ntlm_settings = {
0: "Allow all",
1: "Audit all",
2: "Deny all",
None: "Not Defined",
"(value not set)": "Not Defined",
}
self.enabled_one_disabled_zero_no_not_defined = {
0: "Disabled",
1: "Enabled",
}
self.enabled_one_disabled_zero_no_not_defined_transform = {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.enabled_one_disabled_zero_no_not_defined,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.enabled_one_disabled_zero_no_not_defined,
"value_lookup": True,
},
}
self.policies = {
"Machine": {
"lgpo_section": "Computer Configuration",
"policies": {
"StartupScripts": {
"Policy": "Startup Scripts",
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Startup",
],
"ScriptIni": {
"Section": "Startup",
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"scripts.ini",
),
},
},
"StartupPowershellScripts": {
"Policy": "Startup Powershell Scripts",
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Startup",
],
"ScriptIni": {
"Section": "Startup",
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"psscripts.ini",
),
},
},
"StartupPowershellScriptOrder": {
"Policy": (
"Startup - For this GPO, run scripts in the following order"
),
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Startup",
],
"ScriptIni": {
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"psscripts.ini",
),
"Section": "ScriptsConfig",
"SettingName": "StartExecutePSFirst",
"Settings": ["true", "false", None],
},
"Transform": {
"Get": "_powershell_script_order_conversion",
"Put": "_powershell_script_order_reverse_conversion",
},
},
"ShutdownScripts": {
"Policy": "Shutdown Scripts",
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Shutdown",
],
"ScriptIni": {
"Section": "Shutdown",
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"scripts.ini",
),
},
},
"ShutdownPowershellScripts": {
"Policy": "Shutdown Powershell Scripts",
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Shutdown",
],
"ScriptIni": {
"Section": "Shutdown",
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"psscripts.ini",
),
},
},
"ShutdownPowershellScriptOrder": {
"Policy": (
"Shutdown - For this GPO, run scripts in the "
"following order"
),
"lgpo_section": [
"Computer Configuration",
"Windows Settings",
"Scripts (Startup/Shutdown)",
"Shutdown",
],
"ScriptIni": {
"IniPath": os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"psscripts.ini",
),
"Section": "ScriptsConfig",
"SettingName": "EndExecutePSFirst",
"Settings": ["true", "false", None],
},
"Transform": {
"Get": "_powershell_script_order_conversion",
"Put": "_powershell_script_order_reverse_conversion",
},
},
"LSAAnonymousNameLookup": {
"Policy": (
"Network access: Allow anonymous SID/Name translation"
),
"lgpo_section": self.password_policy_gpedit_path,
"Settings": self.enabled_one_disabled_zero_no_not_defined.keys(),
"Secedit": {
"Option": "LSAAnonymousNameLookup",
"Section": "System Access",
},
"Transform": self.enabled_one_disabled_zero_no_not_defined_transform,
},
"RestrictAnonymousSam": {
"Policy": (
"Network access: Do not allow anonymous "
"enumeration of SAM accounts"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "RestrictAnonymousSam",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"RestrictRemoteSAM": {
"Policy": (
"Network access: Restrict clients allowed to "
"make remote calls to SAM"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "System\\CurrentControlSet\\Control\\Lsa",
"Value": "RestrictRemoteSAM",
"Type": "REG_SZ",
},
"Transform": {"Put": "_string_put_transform"},
},
"RestrictAnonymous": {
"Policy": (
"Network access: Do not allow anonymous "
"enumeration of SAM accounts and shares"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "RestrictAnonymous",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"DisableDomainCreds": {
"Policy": (
"Network access: Do not allow storage of "
"passwords and credentials for network "
"authentication"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "DisableDomainCreds",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"EveryoneIncludesAnonymous": {
"Policy": (
"Network access: Let Everyone permissions "
"apply to anonymous users"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "everyoneincludesanonymous",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"NullSessionPipes": {
"Policy": (
"Network access: Named Pipes that can be "
"accessed anonymously"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "NullSessionPipes",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"RemoteRegistryExactPaths": {
"Policy": "Network access: Remotely accessible registry paths",
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Control\\"
"SecurePipeServers\\winreg\\"
"AllowedExactPaths"
),
"Value": "Machine",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"RemoteRegistryPaths": {
"Policy": (
"Network access: Remotely accessible "
"registry paths and sub-paths"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Control\\"
"SecurePipeServers\\winreg\\AllowedPaths"
),
"Value": "Machine",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"RestrictNullSessAccess": {
"Policy": (
"Network access: Restrict anonymous access "
"to Named Pipes and Shares"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "RestrictNullSessAccess",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"NullSessionShares": {
"Policy": (
"Network access: Shares that can be accessed anonymously"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "NullSessionShares",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"ForceGuest": {
"Policy": (
"Network access: Sharing and security model "
"for local accounts"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.force_guest.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "ForceGuest",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.force_guest,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.force_guest,
"value_lookup": True,
},
},
},
"WfwDomainState": {
"Policy": "Network firewall: Domain: State",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - On (recommended)
# - Off
# - Not configured
"Settings": self.firewall_state.keys(),
"NetSH": {
"Profile": "domain",
"Section": "state",
"Option": "State", # Unused, but needed
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_state,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_state,
"value_lookup": True,
},
},
},
"WfwPrivateState": {
"Policy": "Network firewall: Private: State",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - On (recommended)
# - Off
# - Not configured
"Settings": self.firewall_state.keys(),
"NetSH": {
"Profile": "private",
"Section": "state",
"Option": "State", # Unused, but needed
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_state,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_state,
"value_lookup": True,
},
},
},
"WfwPublicState": {
"Policy": "Network firewall: Public: State",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - On (recommended)
# - Off
# - Not configured
"Settings": self.firewall_state.keys(),
"NetSH": {
"Profile": "public",
"Section": "state",
"Option": "State", # Unused, but needed
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_state,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_state,
"value_lookup": True,
},
},
},
"WfwDomainInboundConnections": {
"Policy": "Network firewall: Domain: Inbound connections",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Block (default)
# - Block all connections
# - Allow
# - Not configured
"Settings": self.firewall_inbound_connections.keys(),
"NetSH": {
"Profile": "domain",
"Section": "firewallpolicy",
"Option": "Inbound",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_inbound_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_inbound_connections,
"value_lookup": True,
},
},
},
"WfwPrivateInboundConnections": {
"Policy": "Network firewall: Private: Inbound connections",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Block (default)
# - Block all connections
# - Allow
# - Not configured
"Settings": self.firewall_inbound_connections.keys(),
"NetSH": {
"Profile": "private",
"Section": "firewallpolicy",
"Option": "Inbound",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_inbound_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_inbound_connections,
"value_lookup": True,
},
},
},
"WfwPublicInboundConnections": {
"Policy": "Network firewall: Public: Inbound connections",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Block (default)
# - Block all connections
# - Allow
# - Not configured
"Settings": self.firewall_inbound_connections.keys(),
"NetSH": {
"Profile": "public",
"Section": "firewallpolicy",
"Option": "Inbound",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_inbound_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_inbound_connections,
"value_lookup": True,
},
},
},
"WfwDomainOutboundConnections": {
"Policy": "Network firewall: Domain: Outbound connections",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Block
# - Allow (default)
# - Not configured
"Settings": self.firewall_outbound_connections.keys(),
"NetSH": {
"Profile": "domain",
"Section": "firewallpolicy",
"Option": "Outbound",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_outbound_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_outbound_connections,
"value_lookup": True,
},
},
},
"WfwPrivateOutboundConnections": {
"Policy": "Network firewall: Private: Outbound connections",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Block
# - Allow (default)
# - Not configured
"Settings": self.firewall_outbound_connections.keys(),
"NetSH": {
"Profile": "private",
"Section": "firewallpolicy",
"Option": "Outbound",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_outbound_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_outbound_connections,
"value_lookup": True,
},
},
},
"WfwPublicOutboundConnections": {
"Policy": "Network firewall: Public: Outbound connections",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Block
# - Allow (default)
# - Not configured
"Settings": self.firewall_outbound_connections.keys(),
"NetSH": {
"Profile": "public",
"Section": "firewallpolicy",
"Option": "Outbound",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_outbound_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_outbound_connections,
"value_lookup": True,
},
},
},
"WfwDomainSettingsNotification": {
"Policy": (
"Network firewall: Domain: Settings: Display a notification"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No
# - Not configured
"Settings": self.firewall_notification.keys(),
"NetSH": {
"Profile": "domain",
"Section": "settings",
"Option": "InboundUserNotification",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_notification,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_notification,
"value_lookup": True,
},
},
},
"WfwPrivateSettingsNotification": {
"Policy": (
"Network firewall: Private: Settings: Display a"
" notification"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No
# - Not configured
"Settings": self.firewall_notification.keys(),
"NetSH": {
"Profile": "private",
"Section": "settings",
"Option": "InboundUserNotification",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_notification,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_notification,
"value_lookup": True,
},
},
},
"WfwPublicSettingsNotification": {
"Policy": (
"Network firewall: Public: Settings: Display a notification"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No
# - Not configured
"Settings": self.firewall_notification.keys(),
"NetSH": {
"Profile": "public",
"Section": "settings",
"Option": "InboundUserNotification",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_notification,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_notification,
"value_lookup": True,
},
},
},
"WfwDomainSettingsLocalFirewallRules": {
"Policy": (
"Network firewall: Domain: Settings: Apply "
"local firewall rules"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
"Settings": self.firewall_rule_merging.keys(),
"NetSH": {
"Profile": "domain",
"Section": "settings",
"Option": "LocalFirewallRules",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": True,
},
},
},
"WfwPrivateSettingsLocalFirewallRules": {
"Policy": (
"Network firewall: Private: Settings: Apply "
"local firewall rules"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
"Settings": self.firewall_rule_merging.keys(),
"NetSH": {
"Profile": "private",
"Section": "settings",
"Option": "LocalFirewallRules",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": True,
},
},
},
"WfwPublicSettingsLocalFirewallRules": {
"Policy": (
"Network firewall: Public: Settings: Apply "
"local firewall rules"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
"Settings": self.firewall_rule_merging.keys(),
"NetSH": {
"Profile": "public",
"Section": "settings",
"Option": "LocalFirewallRules",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": True,
},
},
},
"WfwDomainSettingsLocalConnectionRules": {
"Policy": (
"Network firewall: Domain: Settings: Apply "
"local connection security rules"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
"Settings": self.firewall_rule_merging.keys(),
"NetSH": {
"Profile": "domain",
"Section": "settings",
"Option": "LocalConSecRules",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": True,
},
},
},
"WfwPrivateSettingsLocalConnectionRules": {
"Policy": (
"Network firewall: Private: Settings: Apply "
"local connection security rules"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
"Settings": self.firewall_rule_merging.keys(),
"NetSH": {
"Profile": "private",
"Section": "settings",
"Option": "LocalConSecRules",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": True,
},
},
},
"WfwPublicSettingsLocalConnectionRules": {
"Policy": (
"Network firewall: Public: Settings: Apply "
"local connection security rules"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
"Settings": self.firewall_rule_merging.keys(),
"NetSH": {
"Profile": "public",
"Section": "settings",
"Option": "LocalConSecRules",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_rule_merging,
"value_lookup": True,
},
},
},
"WfwDomainLoggingName": {
"Policy": "Network firewall: Domain: Logging: Name",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - <a full path to a file>
# - Not configured
"Settings": None,
"NetSH": {
"Profile": "domain",
"Section": "logging",
"Option": "FileName",
},
},
"WfwPrivateLoggingName": {
"Policy": "Network firewall: Private: Logging: Name",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - <a full path to a file>
# - Not configured
"Settings": None,
"NetSH": {
"Profile": "private",
"Section": "logging",
"Option": "FileName",
},
},
"WfwPublicLoggingName": {
"Policy": "Network firewall: Public: Logging: Name",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - <a full path to a file>
# - Not configured
"Settings": None,
"NetSH": {
"Profile": "public",
"Section": "logging",
"Option": "FileName",
},
},
"WfwDomainLoggingMaxFileSize": {
"Policy": "Network firewall: Domain: Logging: Size limit (KB)",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - <int between 1 and 32767>
# - Not configured
"Settings": None,
"NetSH": {
"Profile": "domain",
"Section": "logging",
"Option": "MaxFileSize",
},
},
"WfwPrivateLoggingMaxFileSize": {
"Policy": "Network firewall: Private: Logging: Size limit (KB)",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - <int between 1 and 32767>
# - Not configured
"Settings": None,
"NetSH": {
"Profile": "private",
"Section": "logging",
"Option": "MaxFileSize",
},
},
"WfwPublicLoggingMaxFileSize": {
"Policy": "Network firewall: Public: Logging: Size limit (KB)",
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - <int between 1 and 32767>
# - Not configured
"Settings": None,
"NetSH": {
"Profile": "public",
"Section": "logging",
"Option": "MaxFileSize",
},
},
"WfwDomainLoggingAllowedConnections": {
"Policy": (
"Network firewall: Domain: Logging: Log successful"
" connections"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
"Settings": self.firewall_log_packets_connections.keys(),
"NetSH": {
"Profile": "domain",
"Section": "logging",
"Option": "LogAllowedConnections",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": True,
},
},
},
"WfwPrivateLoggingAllowedConnections": {
"Policy": (
"Network firewall: Private: Logging: Log successful"
" connections"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
"Settings": self.firewall_log_packets_connections.keys(),
"NetSH": {
"Profile": "private",
"Section": "logging",
"Option": "LogAllowedConnections",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": True,
},
},
},
"WfwPublicLoggingAllowedConnections": {
"Policy": (
"Network firewall: Public: Logging: Log successful"
" connections"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
"Settings": self.firewall_log_packets_connections.keys(),
"NetSH": {
"Profile": "public",
"Section": "logging",
"Option": "LogAllowedConnections",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": True,
},
},
},
"WfwDomainLoggingDroppedConnections": {
"Policy": (
"Network firewall: Domain: Logging: Log dropped packets"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
"Settings": self.firewall_log_packets_connections.keys(),
"NetSH": {
"Profile": "domain",
"Section": "logging",
"Option": "LogDroppedConnections",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": True,
},
},
},
"WfwPrivateLoggingDroppedConnections": {
"Policy": (
"Network firewall: Private: Logging: Log dropped packets"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
"Settings": self.firewall_log_packets_connections.keys(),
"NetSH": {
"Profile": "private",
"Section": "logging",
"Option": "LogDroppedConnections",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": True,
},
},
},
"WfwPublicLoggingDroppedConnections": {
"Policy": (
"Network firewall: Public: Logging: Log dropped packets"
),
"lgpo_section": self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
"Settings": self.firewall_log_packets_connections.keys(),
"NetSH": {
"Profile": "public",
"Section": "logging",
"Option": "LogDroppedConnections",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.firewall_log_packets_connections,
"value_lookup": True,
},
},
},
"PasswordHistory": {
"Policy": "Enforce password history",
"lgpo_section": self.password_policy_gpedit_path,
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 24},
},
"NetUserModal": {"Modal": 0, "Option": "password_hist_len"},
},
"MaxPasswordAge": {
"Policy": "Maximum password age",
"lgpo_section": self.password_policy_gpedit_path,
"Settings": {
"Function": "_in_range_inclusive",
"Args": {
"min": 1,
"max": 86313600,
"zero_value": 0xFFFFFFFF,
},
},
"NetUserModal": {"Modal": 0, "Option": "max_passwd_age"},
"Transform": {
"Get": "_seconds_to_days",
"Put": "_days_to_seconds",
"GetArgs": {"zero_value": 0xFFFFFFFF},
"PutArgs": {"zero_value": 0xFFFFFFFF},
},
},
"MinPasswordAge": {
"Policy": "Minimum password age",
"lgpo_section": self.password_policy_gpedit_path,
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 86313600},
},
"NetUserModal": {"Modal": 0, "Option": "min_passwd_age"},
"Transform": {
"Get": "_seconds_to_days",
"Put": "_days_to_seconds",
},
},
"MinPasswordLen": {
"Policy": "Minimum password length",
"lgpo_section": self.password_policy_gpedit_path,
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 14},
},
"NetUserModal": {"Modal": 0, "Option": "min_passwd_len"},
},
"PasswordComplexity": {
"Policy": "Password must meet complexity requirements",
"lgpo_section": self.password_policy_gpedit_path,
"Settings": self.enabled_one_disabled_zero_no_not_defined.keys(),
"Secedit": {
"Option": "PasswordComplexity",
"Section": "System Access",
},
"Transform": self.enabled_one_disabled_zero_no_not_defined_transform,
},
"ClearTextPasswords": {
"Policy": "Store passwords using reversible encryption",
"lgpo_section": self.password_policy_gpedit_path,
"Settings": self.enabled_one_disabled_zero_no_not_defined.keys(),
"Secedit": {
"Option": "ClearTextPassword",
"Section": "System Access",
},
"Transform": self.enabled_one_disabled_zero_no_not_defined_transform,
},
"RelaxMinimumPasswordLengthLimits": {
"Policy": "Relax minimum password length limits",
"lgpo_section": self.password_policy_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\SAM",
"Value": "RelaxMinimumPasswordLengthLimits",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"AdminAccountStatus": {
"Policy": "Accounts: Administrator account status",
"Settings": self.enabled_one_disabled_zero_no_not_defined.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Secedit": {
"Option": "EnableAdminAccount",
"Section": "System Access",
},
"Transform": self.enabled_one_disabled_zero_no_not_defined_transform,
},
"NoConnectedUser": {
"Policy": "Accounts: Block Microsoft accounts",
"Settings": self.block_ms_accounts.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SOFTWARE\\Microsoft\\Windows\\"
"CurrentVersion\\policies\\system"
),
"Value": "NoConnectedUser",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.block_ms_accounts,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.block_ms_accounts,
"value_lookup": True,
},
},
},
"GuestAccountStatus": {
"Policy": "Accounts: Guest account status",
"Settings": self.enabled_one_disabled_zero_no_not_defined.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Secedit": {
"Option": "EnableGuestAccount",
"Section": "System Access",
},
"Transform": self.enabled_one_disabled_zero_no_not_defined_transform,
},
"LimitBlankPasswordUse": {
"Policy": (
"Accounts: Limit local account use of blank "
"passwords to console logon only"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero.keys(),
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "limitblankpassworduse",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"RenameAdministratorAccount": {
"Policy": "Accounts: Rename administrator account",
"Settings": None,
"lgpo_section": self.security_options_gpedit_path,
"Secedit": {
"Option": "NewAdministratorName",
"Section": "System Access",
},
"Transform": {"Get": "_strip_quotes", "Put": "_add_quotes"},
},
"RenameGuestAccount": {
"Policy": "Accounts: Rename guest account",
"Settings": None,
"lgpo_section": self.security_options_gpedit_path,
"Secedit": {
"Option": "NewGuestName",
"Section": "System Access",
},
"Transform": {"Get": "_strip_quotes", "Put": "_add_quotes"},
},
"AuditBaseObjects": {
"Policy": "Audit: Audit the access of global system objects",
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "AuditBaseObjects",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"SceNoApplyLegacyAuditPolicy": {
"Policy": (
"Audit: Force audit policy subcategory "
"settings (Windows Vista or later) to "
"override audit policy category settings"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "SCENoApplyLegacyAuditPolicy",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"DontDisplayLastUserName": {
"Policy": "Interactive logon: Do not display last user name",
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "DontDisplayLastUserName",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"CachedLogonsCount": {
"Policy": (
"Interactive logon: Number of previous "
"logons to cache (in case domain controller "
"is not available)"
),
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 50},
},
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows NT\\"
"CurrentVersion\\Winlogon"
),
"Value": "CachedLogonsCount",
"Type": "REG_SZ",
},
},
"ForceUnlockLogon": {
"Policy": (
"Interactive logon: Require Domain "
"Controller authentication to unlock "
"workstation"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows NT\\"
"CurrentVersion\\Winlogon"
),
"Value": "ForceUnlockLogon",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"ScRemoveOption": {
"Policy": "Interactive logon: Smart card removal behavior",
"Settings": self.sc_removal_lookup.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows NT\\"
"CurrentVersion\\Winlogon"
),
"Value": "ScRemoveOption",
"Type": "REG_SZ",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.sc_removal_lookup,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.sc_removal_lookup,
"value_lookup": True,
},
},
},
"DisableCAD": {
"Policy": "Interactive logon: Do not require CTRL+ALT+DEL",
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "DisableCAD",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"FilterAdministratorToken": {
"Policy": (
"User Account Control: Admin Approval Mode "
"for the built-in Administrator account"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "FilterAdministratorToken",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"EnableUIADesktopToggle": {
"Policy": (
"User Account Control: Allow UIAccess "
"applications to prompt for elevation "
"without using the secure desktop"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "EnableUIADesktopToggle",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"ConsentPromptBehaviorAdmin": {
"Policy": (
"User Account Control: Behavior of the "
"elevation prompt for administrators in "
"Admin Approval Mode"
),
"Settings": self.uac_admin_prompt_lookup.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "ConsentPromptBehaviorAdmin",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.uac_admin_prompt_lookup,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.uac_admin_prompt_lookup,
"value_lookup": True,
},
},
},
"ConsentPromptBehaviorUser": {
"Policy": (
"User Account Control: Behavior of the "
"elevation prompt for standard users"
),
"Settings": self.uac_user_prompt_lookup.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "ConsentPromptBehaviorUser",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.uac_user_prompt_lookup,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.uac_user_prompt_lookup,
"value_lookup": True,
},
},
},
"EnableInstallerDetection": {
"Policy": (
"User Account Control: Detect application "
"installations and prompt for elevation"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "EnableInstallerDetection",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"ValidateAdminCodeSignatures": {
"Policy": (
"User Account Control: Only elevate "
"executables that are signed and validated"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "ValidateAdminCodeSignatures",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"EnableSecureUIAPaths": {
"Policy": (
"User Account Control: Only elevate UIAccess "
"applications that are installed in secure "
"locations"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "EnableSecureUIAPaths",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"EnableLUA": {
"Policy": (
"User Account Control: Run all "
"administrators in Admin Approval Mode"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "EnableLUA",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"PromptOnSecureDesktop": {
"Policy": (
"User Account Control: Switch to the secure "
"desktop when prompting for elevation"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "PromptOnSecureDesktop",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"EnableVirtualization": {
"Policy": (
"User Account Control: Virtualize file and "
"registry write failures to per-user "
"locations"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "EnableVirtualization",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"PasswordExpiryWarning": {
"Policy": (
"Interactive logon: Prompt user to change "
"password before expiration"
),
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 999},
},
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows NT\\"
"CurrentVersion\\Winlogon"
),
"Value": "PasswordExpiryWarning",
"Type": "REG_DWORD",
},
},
"MaxDevicePasswordFailedAttempts": {
"Policy": (
"Interactive logon: Machine account lockout threshold"
),
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 999},
},
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SOFTWARE\\Microsoft\\Windows\\"
"CurrentVersion\\policies\\system"
),
"Value": "MaxDevicePasswordFailedAttempts",
"Type": "REG_DWORD",
},
},
"InactivityTimeoutSecs": {
"Policy": "Interactive logon: Machine inactivity limit",
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 599940},
},
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SOFTWARE\\Microsoft\\Windows\\"
"CurrentVersion\\policies\\system"
),
"Value": "InactivityTimeoutSecs",
"Type": "REG_DWORD",
},
},
"legalnoticetext": {
"Policy": (
"Interactive logon: Message text for users "
"attempting to log on"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SOFTWARE\\Microsoft\\Windows\\"
"CurrentVersion\\policies\\system"
),
"Value": "legalnoticetext",
"Type": "REG_SZ",
},
"Transform": {"Put": "_string_put_transform"},
},
"legalnoticecaption": {
"Policy": (
"Interactive logon: Message title for users "
"attempting to log on"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SOFTWARE\\Microsoft\\Windows\\"
"CurrentVersion\\policies\\system"
),
"Value": "legalnoticecaption",
"Type": "REG_SZ",
},
"Transform": {"Put": "_string_put_transform"},
},
"DontDisplayLockedUserId": {
"Policy": (
"Interactive logon: Display user information "
"when the session is locked"
),
"Settings": self.locked_session_user_info.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SOFTWARE\\Microsoft\\Windows\\"
"CurrentVersion\\policies\\system"
),
"Value": "DontDisplayLockedUserId",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.locked_session_user_info,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.locked_session_user_info,
"value_lookup": True,
},
},
},
"ScForceOption": {
"Policy": "Interactive logon: Require smart card",
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "ScForceOption",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"Client_RequireSecuritySignature": {
"Policy": (
"Microsoft network client: Digitally sign "
"communications (always)"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanWorkstation\\Parameters"
),
"Value": "RequireSecuritySignature",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"Client_EnableSecuritySignature": {
"Policy": (
"Microsoft network client: Digitally sign "
"communications (if server agrees)"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanWorkstation\\Parameters"
),
"Value": "EnableSecuritySignature",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"EnablePlainTextPassword": {
"Policy": (
"Microsoft network client: Send unencrypted "
"password to third-party SMB servers"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanWorkstation\\Parameters"
),
"Value": "EnablePlainTextPassword",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"AutoDisconnect": {
"Policy": (
"Microsoft network server: Amount of idle "
"time required before suspending session"
),
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 99999},
},
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "AutoDisconnect",
"Type": "REG_DWORD",
},
},
"EnableS4U2SelfForClaims": {
"Policy": (
"Microsoft network server: Attempt S4U2Self "
"to obtain claim information"
),
"Settings": self.s4u2self_options.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "EnableS4U2SelfForClaims",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.s4u2self_options,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.s4u2self_options,
"value_lookup": True,
},
},
},
"Server_RequireSecuritySignature": {
"Policy": (
"Microsoft network server: Digitally sign "
"communications (always)"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "RequireSecuritySignature",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"Server_EnableSecuritySignature": {
"Policy": (
"Microsoft network server: Digitally sign "
"communications (if client agrees)"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "EnableSecuritySignature",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"EnableForcedLogoff": {
"Policy": (
"Microsoft network server: Disconnect "
"clients when logon hours expire"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "EnableForcedLogoff",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"SmbServerNameHardeningLevel": {
"Policy": (
"Microsoft network server: Server SPN target "
"name validation level"
),
"Settings": self.smb_server_name_hardening_levels.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"LanmanServer\\Parameters"
),
"Value": "SmbServerNameHardeningLevel",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.smb_server_name_hardening_levels,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.smb_server_name_hardening_levels,
"value_lookup": True,
},
},
},
"FullPrivilegeAuditing": {
"Policy": (
"Audit: Audit the use of Backup and Restore privilege"
),
"Settings": [chr(0), chr(1)],
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "System\\CurrentControlSet\\Control\\Lsa",
"Value": "FullPrivilegeAuditing",
"Type": "REG_BINARY",
},
"Transform": {
"Get": "_binary_enable_zero_disable_one_conversion",
"Put": "_binary_enable_zero_disable_one_reverse_conversion",
},
},
"CrashOnAuditFail": {
"Policy": (
"Audit: Shut down system immediately if "
"unable to log security audits"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "CrashOnAuditFail",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"UndockWithoutLogon": {
"Policy": "Devices: Allow undock without having to log on",
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows\\"
"CurrentVersion\\Policies\\System"
),
"Value": "UndockWithoutLogon",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"AddPrinterDrivers": {
"Policy": (
"Devices: Prevent users from installing printer drivers"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Control\\"
"Print\\Providers\\LanMan Print Services\\"
"Servers"
),
"Value": "AddPrinterDrivers",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
"AllocateDASD": {
"Policy": (
"Devices: Allowed to format and eject removable media"
),
"Settings": ["9999", "0", "1", "2"],
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows NT\\"
"CurrentVersion\\Winlogon"
),
"Value": "AllocateDASD",
"Type": "REG_SZ",
},
"Transform": {
"Get": "_dasd_conversion",
"Put": "_dasd_reverse_conversion",
},
},
"AllocateCDRoms": {
"Policy": (
"Devices: Restrict CD-ROM access to locally "
"logged-on user only"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows NT\\"
"CurrentVersion\\Winlogon"
),
"Value": "AllocateCDRoms",
"Type": "REG_SZ",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
"AllocateFloppies": {
"Policy": (
"Devices: Restrict floppy access to locally "
"logged-on user only"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows NT\\"
"CurrentVersion\\Winlogon"
),
"Value": "AllocateFloppies",
"Type": "REG_SZ",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
# see KB298503 why we aren't just doing this one via the
# registry
"DriverSigningPolicy": {
"Policy": "Devices: Unsigned driver installation behavior",
"Settings": ["3,0", "3," + chr(1), "3," + chr(2)],
"lgpo_section": self.security_options_gpedit_path,
"Secedit": {
"Option": (
"MACHINE\\Software\\Microsoft\\Driver Signing\\Policy"
),
"Section": "Registry Values",
},
"Transform": {
"Get": "_driver_signing_reg_conversion",
"Put": "_driver_signing_reg_reverse_conversion",
},
},
"SubmitControl": {
"Policy": (
"Domain controller: Allow server operators "
"to schedule tasks"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "System\\CurrentControlSet\\Control\\Lsa",
"Value": "SubmitControl",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
"VulnerableChannelAllowList": {
"Policy": (
"Domain controller: Allow vulnerable Netlogon "
"secure channel connections"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"Netlogon\\Parameters"
),
"Value": "VulnerableChannelAllowList",
"Type": "REG_SZ",
},
"Transform": {"Put": "_string_put_transform"},
},
"LdapEnforceChannelBinding": {
"Policy": "Domain controller: LDAP server channel binding token requirements",
"Settings": self.ldap_server_binding_token_requirements.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\NTDS\\Parameters"
),
"Value": "LdapEnforceChannelBinding",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.ldap_server_binding_token_requirements,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.ldap_server_binding_token_requirements,
"value_lookup": True,
},
},
},
"LDAPServerIntegrity": {
"Policy": "Domain controller: LDAP server signing requirements",
"Settings": self.ldap_server_signing_requirements.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\NTDS\\Parameters"
),
"Value": "LDAPServerIntegrity",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.ldap_server_signing_requirements,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.ldap_server_signing_requirements,
"value_lookup": True,
},
},
},
"RefusePasswordChange": {
"Policy": (
"Domain controller: Refuse machine account password changes"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SYSTEM\\CurrentControlSet\\Services\\"
"Netlogon\\Parameters"
),
"Value": "RefusePasswordChange",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
"RequireSignOrSeal": {
"Policy": (
"Domain member: Digitally encrypt or sign "
"secure channel data (always)"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"Netlogon\\Parameters"
),
"Value": "RequireSignOrSeal",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
"SealSecureChannel": {
"Policy": (
"Domain member: Digitally encrypt secure "
"channel data (when possible)"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"Netlogon\\Parameters"
),
"Value": "SealSecureChannel",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
"SignSecureChannel": {
"Policy": (
"Domain member: Digitally sign secure "
"channel data (when possible)"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"Netlogon\\Parameters"
),
"Value": "SignSecureChannel",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
"DisablePasswordChange": {
"Policy": (
"Domain member: Disable machine account password changes"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"Netlogon\\Parameters"
),
"Value": "DisablePasswordChange",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
"MaximumPasswordAge": {
"Policy": "Domain member: Maximum machine account password age",
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 999},
},
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"Netlogon\\Parameters"
),
"Value": "MaximumPasswordAge",
"Type": "REG_DWORD",
},
},
"RequireStrongKey": {
"Policy": (
"Domain member: Require strong (Windows 2000 "
"or later) session key"
),
"Settings": self.enabled_one_disabled_zero_strings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Services\\"
"Netlogon\\Parameters"
),
"Value": "RequireStrongKey",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_strings_transform,
},
"LockoutDuration": {
"Policy": "Account lockout duration",
"lgpo_section": self.account_lockout_policy_gpedit_path,
"Settings": {
"Function": "_in_range_inclusive",
"Args": {
"min": 0,
"max": 6000000,
"zero_value": 0xFFFFFFFF,
},
},
"NetUserModal": {"Modal": 3, "Option": "lockout_duration"},
"Transform": {
"Get": "_seconds_to_minutes",
"Put": "_minutes_to_seconds",
"GetArgs": {"zero_value": 0xFFFFFFFF},
"PutArgs": {"zero_value": 0xFFFFFFFF},
},
},
"LockoutThreshold": {
"Policy": "Account lockout threshold",
"lgpo_section": self.account_lockout_policy_gpedit_path,
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 1000},
},
"NetUserModal": {"Modal": 3, "Option": "lockout_threshold"},
},
"LockoutWindow": {
"Policy": "Reset account lockout counter after",
"lgpo_section": self.account_lockout_policy_gpedit_path,
"Settings": {
"Function": "_in_range_inclusive",
"Args": {"min": 0, "max": 6000000},
},
"NetUserModal": {
"Modal": 3,
"Option": "lockout_observation_window",
},
"Transform": {
"Get": "_seconds_to_minutes",
"Put": "_minutes_to_seconds",
},
},
########## BASIC AUDIT POLICIES ##########
# To use these set the following policy to DISABLED:
# - Audit: Force audit policy subcategory settings (Windows
# Vista or later) to override audit policy category
# settings
# or its alias:
# - SceNoApplyLegacyAuditPolicy
# These policies can NOT be set in conjunction with Advanced
# Audit Policies. The Advanced Audit Policies will always
# take precedence. If Advanced Audit Policies are set, the
# Basic Audit Policies will fail to actually apply. The
# LGPO module will complete successfully, but the settings
# will not stick.
# The only way to fix this issue is to remove the
# `audit.csv` files blocking the auditing. Delete them from
# the following locations:
# - C:\Windows\security\audit
# - C:\Windows\System32\GroupPolicy\Machine\Microsoft\
# Windows NT\Audit
"AuditAccountLogon": {
"Policy": "Audit account logon events",
"lgpo_section": self.audit_policy_gpedit_path,
"Settings": self.audit_lookup.keys(),
"Secedit": {
"Option": "AuditAccountLogon",
"Section": "Event Audit",
},
"Transform": self.audit_transform,
},
"AuditAccountManage": {
"Policy": "Audit account management",
"lgpo_section": self.audit_policy_gpedit_path,
"Settings": self.audit_lookup.keys(),
"Secedit": {
"Option": "AuditAccountManage",
"Section": "Event Audit",
},
"Transform": self.audit_transform,
},
"AuditDSAccess": {
"Policy": "Audit directory service access",
"lgpo_section": self.audit_policy_gpedit_path,
"Settings": self.audit_lookup.keys(),
"Secedit": {
"Option": "AuditDSAccess",
"Section": "Event Audit",
},
"Transform": self.audit_transform,
},
"AuditLogonEvents": {
"Policy": "Audit logon events",
"lgpo_section": self.audit_policy_gpedit_path,
"Settings": self.audit_lookup.keys(),
"Secedit": {
"Option": "AuditLogonEvents",
"Section": "Event Audit",
},
"Transform": self.audit_transform,
},
"AuditObjectAccess": {
"Policy": "Audit object access",
"lgpo_section": self.audit_policy_gpedit_path,
"Settings": self.audit_lookup.keys(),
"Secedit": {
"Option": "AuditObjectAccess",
"Section": "Event Audit",
},
"Transform": self.audit_transform,
},
"AuditPolicyChange": {
"Policy": "Audit policy change",
"lgpo_section": self.audit_policy_gpedit_path,
"Settings": self.audit_lookup.keys(),
"Secedit": {
"Option": "AuditPolicyChange",
"Section": "Event Audit",
},
"Transform": self.audit_transform,
},
"AuditPrivilegeUse": {
"Policy": "Audit privilege use",
"lgpo_section": self.audit_policy_gpedit_path,
"Settings": self.audit_lookup.keys(),
"Secedit": {
"Option": "AuditPrivilegeUse",
"Section": "Event Audit",
},
"Transform": self.audit_transform,
},
"AuditProcessTracking": {
"Policy": "Audit process tracking",
"lgpo_section": self.audit_policy_gpedit_path,
"Settings": self.audit_lookup.keys(),
"Secedit": {
"Option": "AuditProcessTracking",
"Section": "Event Audit",
},
"Transform": self.audit_transform,
},
"AuditSystemEvents": {
"Policy": "Audit system events",
"lgpo_section": self.audit_policy_gpedit_path,
"Settings": self.audit_lookup.keys(),
"Secedit": {
"Option": "AuditSystemEvents",
"Section": "Event Audit",
},
"Transform": self.audit_transform,
},
########## END OF BASIC AUDIT POLICIES ##########
########## ADVANCED AUDIT POLICIES ##########
# Advanced Audit Policies
# To use these set the following policy to ENABLED:
# - Audit: Force audit policy subcategory settings (Windows
# Vista or later) to override audit policy category
# settings
# or its alias:
# - SceNoApplyLegacyAuditPolicy
# These will always take precedence over Basic Audit
# Policies. In fact, setting these will block Basic Audit
# Policies from being set at all, even if you set these
# back to `Not Configured`.
# The only way to fix this issue and allow Basic Audit
# Policies to be set is to remove the `audit.csv` files
# blocking the auditing. Delete them from the following
# locations:
# - C:\Windows\security\audit
# - C:\Windows\System32\GroupPolicy\Machine\Microsoft\
# Windows NT\Audit
# Account Logon Section
"AuditCredentialValidation": {
"Policy": "Audit Credential Validation",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Credential Validation"},
"Transform": self.advanced_audit_transform,
},
"AuditKerberosAuthenticationService": {
"Policy": "Audit Kerberos Authentication Service",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {
"Option": "Audit Kerberos Authentication Service",
},
"Transform": self.advanced_audit_transform,
},
"AuditKerberosServiceTicketOperations": {
"Policy": "Audit Kerberos Service Ticket Operations",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {
"Option": "Audit Kerberos Service Ticket Operations",
},
"Transform": self.advanced_audit_transform,
},
"AuditOtherAccountLogonEvents": {
"Policy": "Audit Other Account Logon Events",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Other Account Logon Events"},
"Transform": self.advanced_audit_transform,
},
# Account Management Section
"AuditApplicationGroupManagement": {
"Policy": "Audit Application Group Management",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Application Group Management"},
"Transform": self.advanced_audit_transform,
},
"AuditComputerAccountManagement": {
"Policy": "Audit Computer Account Management",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Computer Account Management"},
"Transform": self.advanced_audit_transform,
},
"AuditDistributionGroupManagement": {
"Policy": "Audit Distribution Group Management",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Distribution Group Management"},
"Transform": self.advanced_audit_transform,
},
"AuditOtherAccountManagementEvents": {
"Policy": "Audit Other Account Management Events",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {
"Option": "Audit Other Account Management Events",
},
"Transform": self.advanced_audit_transform,
},
"AuditSecurityGroupManagement": {
"Policy": "Audit Security Group Management",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Security Group Management"},
"Transform": self.advanced_audit_transform,
},
"AuditUserAccountManagement": {
"Policy": "Audit User Account Management",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit User Account Management"},
"Transform": self.advanced_audit_transform,
},
# Detailed Tracking Settings
"AuditDPAPIActivity": {
"Policy": "Audit DPAPI Activity",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit DPAPI Activity"},
"Transform": self.advanced_audit_transform,
},
"AuditPNPActivity": {
"Policy": "Audit PNP Activity",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit PNP Activity"},
"Transform": self.advanced_audit_transform,
},
"AuditProcessCreation": {
"Policy": "Audit Process Creation",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Process Creation"},
"Transform": self.advanced_audit_transform,
},
"AuditProcessTermination": {
"Policy": "Audit Process Termination",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Process Termination"},
"Transform": self.advanced_audit_transform,
},
"AuditRPCEvents": {
"Policy": "Audit RPC Events",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit RPC Events"},
"Transform": self.advanced_audit_transform,
},
"AuditTokenRightAdjusted": {
"Policy": "Audit Token Right Adjusted",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Token Right Adjusted"},
"Transform": self.advanced_audit_transform,
},
# DS Access Section
"AuditDetailedDirectoryServiceReplication": {
"Policy": "Audit Detailed Directory Service Replication",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {
"Option": "Audit Detailed Directory Service Replication",
},
"Transform": self.advanced_audit_transform,
},
"AuditDirectoryServiceAccess": {
"Policy": "Audit Directory Service Access",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Directory Service Access"},
"Transform": self.advanced_audit_transform,
},
"AuditDirectoryServiceChanges": {
"Policy": "Audit Directory Service Changes",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Directory Service Changes"},
"Transform": self.advanced_audit_transform,
},
"AuditDirectoryServiceReplication": {
"Policy": "Audit Directory Service Replication",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Directory Service Replication"},
"Transform": self.advanced_audit_transform,
},
# Logon/Logoff Section
"AuditAccountLockout": {
"Policy": "Audit Account Lockout",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Account Lockout"},
"Transform": self.advanced_audit_transform,
},
"AuditUserDeviceClaims": {
"Policy": "Audit User / Device Claims",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit User / Device Claims"},
"Transform": self.advanced_audit_transform,
},
"AuditGroupMembership": {
"Policy": "Audit Group Membership",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Group Membership"},
"Transform": self.advanced_audit_transform,
},
"AuditIPsecExtendedMode": {
"Policy": "Audit IPsec Extended Mode",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit IPsec Extended Mode"},
"Transform": self.advanced_audit_transform,
},
"AuditIPsecMainMode": {
"Policy": "Audit IPsec Main Mode",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit IPsec Main Mode"},
"Transform": self.advanced_audit_transform,
},
"AuditIPsecQuickMode": {
"Policy": "Audit IPsec Quick Mode",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit IPsec Quick Mode"},
"Transform": self.advanced_audit_transform,
},
"AuditLogoff": {
"Policy": "Audit Logoff",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Logoff"},
"Transform": self.advanced_audit_transform,
},
"AuditLogon": {
"Policy": "Audit Logon",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Logon"},
"Transform": self.advanced_audit_transform,
},
"AuditNetworkPolicyServer": {
"Policy": "Audit Network Policy Server",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Network Policy Server"},
"Transform": self.advanced_audit_transform,
},
"AuditOtherLogonLogoffEvents": {
"Policy": "Audit Other Logon/Logoff Events",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Other Logon/Logoff Events"},
"Transform": self.advanced_audit_transform,
},
"AuditSpecialLogon": {
"Policy": "Audit Special Logon",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Special Logon"},
"Transform": self.advanced_audit_transform,
},
# Object Access Section
"AuditApplicationGenerated": {
"Policy": "Audit Application Generated",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Application Generated"},
"Transform": self.advanced_audit_transform,
},
"AuditCertificationServices": {
"Policy": "Audit Certification Services",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Certification Services"},
"Transform": self.advanced_audit_transform,
},
"AuditDetailedFileShare": {
"Policy": "Audit Detailed File Share",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Detailed File Share"},
"Transform": self.advanced_audit_transform,
},
"AuditFileShare": {
"Policy": "Audit File Share",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit File Share"},
"Transform": self.advanced_audit_transform,
},
"AuditFileSystem": {
"Policy": "Audit File System",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit File System"},
"Transform": self.advanced_audit_transform,
},
"AuditFilteringPlatformConnection": {
"Policy": "Audit Filtering Platform Connection",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Filtering Platform Connection"},
"Transform": self.advanced_audit_transform,
},
"AuditFilteringPlatformPacketDrop": {
"Policy": "Audit Filtering Platform Packet Drop",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Filtering Platform Packet Drop"},
"Transform": self.advanced_audit_transform,
},
"AuditHandleManipulation": {
"Policy": "Audit Handle Manipulation",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Handle Manipulation"},
"Transform": self.advanced_audit_transform,
},
"AuditKernelObject": {
"Policy": "Audit Kernel Object",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Kernel Object"},
"Transform": self.advanced_audit_transform,
},
"AuditOtherObjectAccessEvents": {
"Policy": "Audit Other Object Access Events",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Other Object Access Events"},
"Transform": self.advanced_audit_transform,
},
"AuditRegistry": {
"Policy": "Audit Registry",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Registry"},
"Transform": self.advanced_audit_transform,
},
"AuditRemovableStorage": {
"Policy": "Audit Removable Storage",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Removable Storage"},
"Transform": self.advanced_audit_transform,
},
"AuditSAM": {
"Policy": "Audit SAM",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit SAM"},
"Transform": self.advanced_audit_transform,
},
"AuditCentralAccessPolicyStaging": {
"Policy": "Audit Central Access Policy Staging",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Central Access Policy Staging"},
"Transform": self.advanced_audit_transform,
},
# Policy Change Section
"AuditAuditPolicyChange": {
"Policy": "Audit Audit Policy Change",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Audit Policy Change"},
"Transform": self.advanced_audit_transform,
},
"AuditAuthenticationPolicyChange": {
"Policy": "Audit Authentication Policy Change",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Authentication Policy Change"},
"Transform": self.advanced_audit_transform,
},
"AuditAuthorizationPolicyChange": {
"Policy": "Audit Authorization Policy Change",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Authorization Policy Change"},
"Transform": self.advanced_audit_transform,
},
"AuditFilteringPlatformPolicyChange": {
"Policy": "Audit Filtering Platform Policy Change",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {
"Option": "Audit Filtering Platform Policy Change",
},
"Transform": self.advanced_audit_transform,
},
"AuditMPSSVCRuleLevelPolicyChange": {
"Policy": "Audit MPSSVC Rule-Level Policy Change",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {
"Option": "Audit MPSSVC Rule-Level Policy Change",
},
"Transform": self.advanced_audit_transform,
},
"AuditOtherPolicyChangeEvents": {
"Policy": "Audit Other Policy Change Events",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Other Policy Change Events"},
"Transform": self.advanced_audit_transform,
},
# Privilege Use Section
"AuditNonSensitivePrivilegeUse": {
"Policy": "Audit Non Sensitive Privilege Use",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Non Sensitive Privilege Use"},
"Transform": self.advanced_audit_transform,
},
"AuditOtherPrivilegeUseEvents": {
"Policy": "Audit Other Privilege Use Events",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Other Privilege Use Events"},
"Transform": self.advanced_audit_transform,
},
"AuditSensitivePrivilegeUse": {
"Policy": "Audit Sensitive Privilege Use",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Sensitive Privilege Use"},
"Transform": self.advanced_audit_transform,
},
# System Section
"AuditIPsecDriver": {
"Policy": "Audit IPsec Driver",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit IPsec Driver"},
"Transform": self.advanced_audit_transform,
},
"AuditOtherSystemEvents": {
"Policy": "Audit Other System Events",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Other System Events"},
"Transform": self.advanced_audit_transform,
},
"AuditSecurityStateChange": {
"Policy": "Audit Security State Change",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Security State Change"},
"Transform": self.advanced_audit_transform,
},
"AuditSecuritySystemExtension": {
"Policy": "Audit Security System Extension",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit Security System Extension"},
"Transform": self.advanced_audit_transform,
},
"AuditSystemIntegrity": {
"Policy": "Audit System Integrity",
"lgpo_section": self.advanced_audit_policy_gpedit_path,
"Settings": self.advanced_audit_lookup.keys(),
"AdvAudit": {"Option": "Audit System Integrity"},
"Transform": self.advanced_audit_transform,
},
########## END OF ADVANCED AUDIT POLICIES ##########
"SeTrustedCredManAccessPrivilege": {
"Policy": "Access Credential Manager as a trusted caller",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeTrustedCredManAccessPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeNetworkLogonRight": {
"Policy": "Access this computer from the network",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeNetworkLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeTcbPrivilege": {
"Policy": "Act as part of the operating system",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeTcbPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeMachineAccountPrivilege": {
"Policy": "Add workstations to domain",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeMachineAccountPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeIncreaseQuotaPrivilege": {
"Policy": "Adjust memory quotas for a process",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeIncreaseQuotaPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeInteractiveLogonRight": {
"Policy": "Allow log on locally",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeInteractiveLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeRemoteInteractiveLogonRight": {
"Policy": "Allow log on through Remote Desktop Services",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeRemoteInteractiveLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeBackupPrivilege": {
"Policy": "Backup files and directories",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeBackupPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeChangeNotifyPrivilege": {
"Policy": "Bypass traverse checking",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeChangeNotifyPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeSystemtimePrivilege": {
"Policy": "Change the system time",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeSystemtimePrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeTimeZonePrivilege": {
"Policy": "Change the time zone",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeTimeZonePrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeCreatePagefilePrivilege": {
"Policy": "Create a pagefile",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeCreatePagefilePrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeCreateTokenPrivilege": {
"Policy": "Create a token object",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeCreateTokenPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeCreateGlobalPrivilege": {
"Policy": "Create global objects",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeCreateGlobalPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeCreatePermanentPrivilege": {
"Policy": "Create permanent shared objects",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeCreatePermanentPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeCreateSymbolicLinkPrivilege": {
"Policy": "Create symbolic links",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeCreateSymbolicLinkPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeDebugPrivilege": {
"Policy": "Debug programs",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeDebugPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeDenyNetworkLogonRight": {
"Policy": "Deny access to this computer from the network",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeDenyNetworkLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeDenyBatchLogonRight": {
"Policy": "Deny log on as a batch job",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeDenyBatchLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeDenyServiceLogonRight": {
"Policy": "Deny log on as a service",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeDenyServiceLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeDenyInteractiveLogonRight": {
"Policy": "Deny log on locally",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeDenyInteractiveLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeDenyRemoteInteractiveLogonRight": {
"Policy": "Deny log on through Remote Desktop Services",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeDenyRemoteInteractiveLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeEnableDelegationPrivilege": {
"Policy": (
"Enable computer and user accounts to be "
"trusted for delegation"
),
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeEnableDelegationPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeRemoteShutdownPrivilege": {
"Policy": "Force shutdown from a remote system",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeRemoteShutdownPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeAuditPrivilege": {
"Policy": "Generate security audits",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeAuditPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeImpersonatePrivilege": {
"Policy": "Impersonate a client after authentication",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeImpersonatePrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeIncreaseWorkingSetPrivilege": {
"Policy": "Increase a process working set",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeIncreaseWorkingSetPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeIncreaseBasePriorityPrivilege": {
"Policy": "Increase scheduling priority",
"rights_assignment": True,
"lgpo_section": self.user_rights_assignment_gpedit_path,
"Settings": None,
"LsaRights": {"Option": "SeIncreaseBasePriorityPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeLoadDriverPrivilege": {
"Policy": "Load and unload device drivers",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeLoadDriverPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeLockMemoryPrivilege": {
"Policy": "Lock pages in memory",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeLockMemoryPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeBatchLogonRight": {
"Policy": "Log on as a batch job",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeBatchLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeServiceLogonRight": {
"Policy": "Log on as a service",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeServiceLogonRight"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeSecurityPrivilege": {
"Policy": "Manage auditing and security log",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeSecurityPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeRelabelPrivilege": {
"Policy": "Modify an object label",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeRelabelPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeSystemEnvironmentPrivilege": {
"Policy": "Modify firmware environment values",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeSystemEnvironmentPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeManageVolumePrivilege": {
"Policy": "Perform volume maintenance tasks",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeManageVolumePrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeProfileSingleProcessPrivilege": {
"Policy": "Profile single process",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeProfileSingleProcessPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeSystemProfilePrivilege": {
"Policy": "Profile system performance",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeSystemProfilePrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeUndockPrivilege": {
"Policy": "Remove computer from docking station",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeUndockPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeAssignPrimaryTokenPrivilege": {
"Policy": "Replace a process level token",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeAssignPrimaryTokenPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeRestorePrivilege": {
"Policy": "Restore files and directories",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeRestorePrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeShutdownPrivilege": {
"Policy": "Shut down the system",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeShutdownPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeSyncAgentPrivilege": {
"Policy": "Synchronize directory service data",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeSyncAgentPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"SeTakeOwnershipPrivilege": {
"Policy": "Take ownership of files or other objects",
"lgpo_section": self.user_rights_assignment_gpedit_path,
"rights_assignment": True,
"Settings": None,
"LsaRights": {"Option": "SeTakeOwnershipPrivilege"},
"Transform": {
"Get": "_sidConversion",
"Put": "_usernamesToSidObjects",
},
},
"RecoveryConsoleSecurityLevel": {
"Policy": (
"Recovery console: Allow automatic administrative logon"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows NT\\"
"CurrentVersion\\Setup\\RecoveryConsole"
),
"Value": "SecurityLevel",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"RecoveryConsoleSetCommand": {
"Policy": (
"Recovery console: Allow floppy copy and "
"access to all drives and all folders"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"Software\\Microsoft\\Windows NT\\"
"CurrentVersion\\Setup\\RecoveryConsole"
),
"Value": "SetCommand",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"ForceKeyProtection": {
"Policy": (
"System Cryptography: Force strong key protection for "
"user keys stored on the computer"
),
"Settings": self.force_key_protection.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "Software\\Policies\\Microsoft\\Cryptography",
"Value": "ForceKeyProtection",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.force_key_protection,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.force_key_protection,
"value_lookup": True,
},
},
},
"FIPSAlgorithmPolicy": {
"Policy": (
"System Cryptography: Use FIPS compliant algorithms "
"for encryption, hashing, and signing"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "System\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy",
"Value": "Enabled",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"MachineAccessRestriction": {
"Policy": (
"DCOM: Machine Access Restrictions in Security Descriptor "
"Definition Language (SDDL) syntax"
),
"Settings": None,
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "Software\\Policies\\Microsoft\\Windows NT\\DCOM",
"Value": "MachineAccessRestriction",
"Type": "REG_SZ",
},
"Transform": {"Put": "_string_put_transform"},
},
"MachineLaunchRestriction": {
"Policy": (
"DCOM: Machine Launch Restrictions in Security Descriptor "
"Definition Language (SDDL) syntax"
),
"Settings": None,
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "Software\\Policies\\Microsoft\\Windows NT\\DCOM",
"Value": "MachineLaunchRestriction",
"Type": "REG_SZ",
},
"Transform": {"Put": "_string_put_transform"},
},
"UseMachineId": {
"Policy": (
"Network security: Allow Local System to use computer "
"identity for NTLM"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "UseMachineId",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"allownullsessionfallback": {
"Policy": (
"Network security: Allow LocalSystem NULL session fallback"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0",
"Value": "allownullsessionfallback",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"AllowOnlineID": {
"Policy": (
"Network security: Allow PKU2U authentication requests "
"to this computer to use online identities."
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa\\pku2u",
"Value": "AllowOnlineID",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"KrbSupportedEncryptionTypes": {
"Policy": (
"Network security: Configure encryption types allowed "
"for Kerberos"
),
"Settings": None,
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies"
"\\system\\Kerberos\\Parameters"
),
"Value": "SupportedEncryptionTypes",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup_bitwise_add",
"Put": "_dict_lookup_bitwise_add",
"GetArgs": {
"lookup": self.krb_encryption_types,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.krb_encryption_types,
"value_lookup": True,
},
},
},
"NoLMHash": {
"Policy": (
"Network security: Do not store LAN Manager hash value "
"on next password change"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "NoLMHash",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"ForceLogoffWhenHourExpire": {
"Policy": (
"Network security: Force logoff when logon hours expire"
),
"lgpo_section": self.security_options_gpedit_path,
"Settings": self.enabled_one_disabled_zero_no_not_defined.keys(),
"Secedit": {
"Option": "ForceLogoffWhenHourExpire",
"Section": "System Access",
},
"Transform": self.enabled_one_disabled_zero_no_not_defined_transform,
},
"LmCompatibilityLevel": {
"Policy": "Network security: LAN Manager authentication level",
"Settings": self.lm_compat_levels.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa",
"Value": "LmCompatibilityLevel",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.lm_compat_levels,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.lm_compat_levels,
"value_lookup": True,
},
},
},
"LDAPClientIntegrity": {
"Policy": "Network security: LDAP client signing requirements",
"Settings": self.ldap_signing_reqs.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Services\\ldap",
"Value": "LDAPClientIntegrity",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.ldap_signing_reqs,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.ldap_signing_reqs,
"value_lookup": True,
},
},
},
"NTLMMinClientSec": {
"Policy": (
"Network security: Minimum session security for NTLM SSP"
" based (including secure RPC) clients"
),
"Settings": None,
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "System\\CurrentControlSet\\Control\\Lsa\\MSV1_0",
"Value": "NTLMMinClientSec",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup_bitwise_add",
"Put": "_dict_lookup_bitwise_add",
"GetArgs": {
"lookup": self.ntlm_session_security_levels,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.ntlm_session_security_levels,
"value_lookup": True,
},
},
},
"NTLMMinServerSec": {
"Policy": (
"Network security: Minimum session security for NTLM SSP"
" based (including secure RPC) servers"
),
"Settings": None,
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "System\\CurrentControlSet\\Control\\Lsa\\MSV1_0",
"Value": "NTLMMinServerSec",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup_bitwise_add",
"Put": "_dict_lookup_bitwise_add",
"GetArgs": {
"lookup": self.ntlm_session_security_levels,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.ntlm_session_security_levels,
"value_lookup": True,
},
},
},
"ClientAllowedNTLMServers": {
"Policy": (
"Network security: Restrict NTLM: Add remote server"
" exceptions for NTLM authentication"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "System\\CurrentControlSet\\Control\\Lsa\\MSV1_0",
"Value": "ClientAllowedNTLMServers",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"DCAllowedNTLMServers": {
"Policy": (
"Network security: Restrict NTLM: Add server exceptions"
" in this domain"
),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "System\\CurrentControlSet\\Services\\Netlogon\\Parameters",
"Value": "DCAllowedNTLMServers",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"AuditReceivingNTLMTraffic": {
"Policy": (
"Network security: Restrict NTLM: Audit Incoming NTLM"
" Traffic"
),
"Settings": self.ntlm_audit_settings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0",
"Value": "AuditReceivingNTLMTraffic",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.ntlm_audit_settings,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.ntlm_audit_settings,
"value_lookup": True,
},
},
},
"AuditNTLMInDomain": {
"Policy": (
"Network security: Restrict NTLM: Audit NTLM "
"authentication in this domain"
),
"Settings": self.ntlm_domain_audit_settings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters",
"Value": "AuditNTLMInDomain",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.ntlm_domain_audit_settings,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.ntlm_domain_audit_settings,
"value_lookup": True,
},
},
},
"RestrictReceivingNTLMTraffic": {
"Policy": (
"Network security: Restrict NTLM: Incoming NTLM traffic"
),
"Settings": self.incoming_ntlm_settings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0",
"Value": "RestrictReceivingNTLMTraffic",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.incoming_ntlm_settings,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.incoming_ntlm_settings,
"value_lookup": True,
},
},
},
"RestrictNTLMInDomain": {
"Policy": (
"Network security: Restrict NTLM: NTLM "
"authentication in this domain"
),
"Settings": self.ntlm_domain_auth_settings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters",
"Value": "RestrictNTLMInDomain",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.ntlm_domain_auth_settings,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.ntlm_domain_auth_settings,
"value_lookup": True,
},
},
},
"RestrictSendingNTLMTraffic": {
"Policy": (
"Network security: Restrict NTLM: Outgoing NTLM"
" traffic to remote servers"
),
"Settings": self.outgoing_ntlm_settings.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0",
"Value": "RestrictSendingNTLMTraffic",
"Type": "REG_DWORD",
},
"Transform": {
"Get": "_dict_lookup",
"Put": "_dict_lookup",
"GetArgs": {
"lookup": self.outgoing_ntlm_settings,
"value_lookup": False,
},
"PutArgs": {
"lookup": self.outgoing_ntlm_settings,
"value_lookup": True,
},
},
},
"ShutdownWithoutLogon": {
"Policy": (
"Shutdown: Allow system to be shut down "
"without having to log on"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system",
"Value": "ShutdownWithoutLogon",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"ClearPageFileAtShutdown": {
"Policy": "Shutdown: Clear virtual memory pagefile",
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Control\\"
"SESSION MANAGER\\MEMORY MANAGEMENT"
),
"Value": "ClearPageFileAtShutdown",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"ObCaseInsensitive": {
"Policy": (
"System objects: Require case insensitivity for "
"non-Windows subsystems"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Control\\"
"SESSION MANAGER\\Kernel"
),
"Value": "ObCaseInsensitive",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"ProtectionMode": {
"Policy": (
"System objects: Strengthen default permissions of "
"internal system objects (e.g. Symbolic Links)"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Control\\SESSION MANAGER"
),
"Value": "ProtectionMode",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
"OptionalSubsystems": {
"Policy": "System settings: Optional subsystems",
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": (
"System\\CurrentControlSet\\Control\\"
"SESSION MANAGER\\SubSystems"
),
"Value": "optional",
"Type": "REG_MULTI_SZ",
},
"Transform": {
"Put": "_multi_string_put_transform",
"Get": "_multi_string_get_transform",
},
},
"AuthenticodeEnabled": {
"Policy": (
"System settings: Use Certificate Rules on Windows"
" Executables for Software Restriction Policies"
),
"Settings": self.enabled_one_disabled_zero.keys(),
"lgpo_section": self.security_options_gpedit_path,
"Registry": {
"Hive": "HKEY_LOCAL_MACHINE",
"Path": "SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers",
"Value": "AuthenticodeEnabled",
"Type": "REG_DWORD",
},
"Transform": self.enabled_one_disabled_zero_transform,
},
},
},
"User": {"lgpo_section": "User Configuration", "policies": {}},
}
@classmethod
def _notEmpty(cls, val, **kwargs):
"""
ensures a value is not empty
"""
if val:
return True
else:
return False
@classmethod
def _seconds_to_days(cls, val, **kwargs):
"""
converts a number of seconds to days
"""
zero_value = kwargs.get("zero_value", 0)
if val is not None:
if val == zero_value:
return 0
return val / 86400
else:
return "Not Defined"
@classmethod
def _days_to_seconds(cls, val, **kwargs):
"""
converts a number of days to seconds
"""
zero_value = kwargs.get("zero_value", 0)
if val is not None:
if val == 0:
return zero_value
return val * 86400
else:
return "Not Defined"
@classmethod
def _seconds_to_minutes(cls, val, **kwargs):
"""
converts a number of seconds to minutes
"""
zero_value = kwargs.get("zero_value", 0)
if val is not None:
if val == zero_value:
return 0
return val / 60
else:
return "Not Defined"
@classmethod
def _minutes_to_seconds(cls, val, **kwargs):
"""
converts number of minutes to seconds
"""
zero_value = kwargs.get("zero_value", 0)
if val is not None:
if val == 0:
return zero_value
return val * 60
else:
return "Not Defined"
@classmethod
def _strip_quotes(cls, val, **kwargs):
"""
strips quotes from a string
"""
return val.replace('"', "")
@classmethod
def _add_quotes(cls, val, **kwargs):
"""
add quotes around the string
"""
return f'"{val}"'
@classmethod
def _binary_enable_zero_disable_one_conversion(cls, val, **kwargs):
"""
converts a binary 0/1 to Disabled/Enabled
"""
try:
if val is not None:
if ord(val) == 0:
return "Disabled"
elif ord(val) == 1:
return "Enabled"
else:
return f"Invalid Value: {val!r}"
else:
return "Not Defined"
except TypeError:
return "Invalid Value"
@classmethod
def _binary_enable_zero_disable_one_reverse_conversion(cls, val, **kwargs):
"""
converts Enabled/Disabled to unicode char to write to a REG_BINARY value
"""
if val is not None:
if val.upper() == "DISABLED":
return chr(0)
elif val.upper() == "ENABLED":
return chr(1)
else:
return None
else:
return None
@classmethod
def _dasd_conversion(cls, val, **kwargs):
"""
converts 0/1/2 for dasd reg key
"""
if val is not None:
if val == "0" or val == 0 or val == "":
return "Administrators"
elif val == "1" or val == 1:
return "Administrators and Power Users"
elif val == "2" or val == 2:
return "Administrators and Interactive Users"
else:
return "Not Defined"
else:
return "Not Defined"
@classmethod
def _dasd_reverse_conversion(cls, val, **kwargs):
"""
converts DASD String values to the reg_sz value
"""
if val is not None:
if val.upper() == "ADMINISTRATORS":
# "" also shows 'administrators' in the GUI
return "0"
elif val.upper() == "ADMINISTRATORS AND POWER USERS":
return "1"
elif val.upper() == "ADMINISTRATORS AND INTERACTIVE USERS":
return "2"
elif val.upper() == "NOT DEFINED":
# a setting of anything other than nothing, 0, 1, 2 or if it
# doesn't exist show 'not defined'
return "9999"
else:
return "Invalid Value"
else:
return "Not Defined"
@classmethod
def _in_range_inclusive(cls, val, **kwargs):
"""
checks that a value is in an inclusive range
The value for 0 used by Max Password Age is actually 0xffffffff
"""
minimum = kwargs.get("min", 0)
maximum = kwargs.get("max", 1)
zero_value = kwargs.get("zero_value", 0)
if isinstance(val, str):
if val.lower() == "not defined":
return True
else:
try:
val = int(val)
except ValueError:
return False
if val is not None:
if minimum <= val <= maximum or val == zero_value:
return True
else:
return False
else:
return False
@classmethod
def _driver_signing_reg_conversion(cls, val, **kwargs):
"""
converts the binary value in the registry for driver signing into the
correct string representation
"""
log.trace("we have %s for the driver signing value", val)
if val is not None:
# since this is from secedit, it should be 3,<value>
_val = val.split(",")
if len(_val) == 2:
if _val[1] == "0":
return "Silently Succeed"
elif _val[1] == "1":
return "Warn but allow installation"
elif _val[1] == "2":
return "Do not allow installation"
elif _val[1] == "Not Defined":
return "Not Defined"
else:
return "Invalid Value"
else:
return "Not Defined"
else:
return "Not Defined"
@classmethod
def _driver_signing_reg_reverse_conversion(cls, val, **kwargs):
"""
converts the string value seen in the GUI to the correct registry value
for secedit
"""
if val is not None:
if val.upper() == "SILENTLY SUCCEED":
return ",".join(["3", "0"])
elif val.upper() == "WARN BUT ALLOW INSTALLATION":
return ",".join(["3", chr(1)])
elif val.upper() == "DO NOT ALLOW INSTALLATION":
return ",".join(["3", chr(2)])
else:
return "Invalid Value"
else:
return "Not Defined"
@classmethod
def _sidConversion(cls, val, **kwargs):
"""
converts a list of pysid objects to string representations
"""
usernames = []
for _sid in val:
try:
userSid = win32security.LookupAccountSid("", _sid)
if userSid[1]:
userSid = f"{userSid[1]}\\{userSid[0]}"
else:
userSid = f"{userSid[0]}"
# TODO: This needs to be more specific
except Exception: # pylint: disable=broad-except
userSid = win32security.ConvertSidToStringSid(_sid)
log.warning(
"Unable to convert SID '%s' to a friendly name. "
"The SID will be displayed instead of a user/group name.",
userSid,
)
usernames.append(userSid)
return usernames
@classmethod
def _usernamesToSidObjects(cls, val, **kwargs):
"""
converts a list of usernames to sid objects
"""
if not val:
return val
if isinstance(val, str):
val = val.split(",")
sids = []
for _user in val:
try:
sid = win32security.LookupAccountName("", _user)[0]
sids.append(sid)
# This needs to be more specific
except Exception as e: # pylint: disable=broad-except
log.exception("Handle this explicitly")
raise CommandExecutionError(
'There was an error obtaining the SID of user "{}". Error '
"returned: {}".format(_user, e)
)
return sids
@classmethod
def _powershell_script_order_conversion(cls, val, **kwargs):
"""
converts true/false/None to the GUI representation of the powershell
startup/shutdown script order
"""
log.trace("script order value = %s", val)
if val is None or val == "None":
return "Not Configured"
elif val == "true":
return "Run Windows PowerShell scripts first"
elif val == "false":
return "Run Windows PowerShell scripts last"
else:
return "Invalid Value"
@classmethod
def _powershell_script_order_reverse_conversion(cls, val, **kwargs):
"""
converts powershell script GUI strings representations to
True/False/None
"""
if val.upper() == "Run Windows PowerShell scripts first".upper():
return "true"
elif val.upper() == "Run Windows PowerShell scripts last".upper():
return "false"
elif val == "Not Configured":
return None
else:
return "Invalid Value"
@classmethod
def _dict_lookup(cls, item, **kwargs):
"""
Retrieves the key or value from a dict based on the item
kwarg lookup dict to search for item
kwarg value_lookup bool to determine if item should be compared to keys
or values
"""
log.trace("item == %s", item)
value_lookup = kwargs.get("value_lookup", False)
if "lookup" in kwargs:
for k, v in kwargs["lookup"].items():
if value_lookup:
if str(v).lower() == str(item).lower():
log.trace("returning key %s", k)
return k
else:
if str(k).lower() == str(item).lower():
log.trace("returning value %s", v)
return v
return "Invalid Value"
@classmethod
def _dict_lookup_bitwise_add(cls, item, **kwargs):
"""
kwarg value_lookup bool to determine if item_list should be compared to keys
or values
kwarg test_zero is used to determine if 0 should be tested when value_lookup is false
lookup should be a dict with integers for keys
if value_lookup is True, item is expected to be a list
the function will return the sum of the keys whose values are in the item list
if value_lookup is False, item is expected to be an integer
the function will return the values for the keys
which successfully "bitwise and" with item
"""
value_lookup = kwargs.get("value_lookup", False)
test_zero = kwargs.get("test_zero", False)
ret_val = None
if str(item).lower() == "not defined":
return None
if value_lookup:
if not isinstance(item, list):
return "Invalid Value: Not a list"
ret_val = 0
else:
if not isinstance(item, int):
return "Invalid Value: Not an int"
ret_val = []
if "lookup" in kwargs:
for k, v in kwargs["lookup"].items():
if value_lookup:
if str(v).lower() in [z.lower() for z in item]:
ret_val = ret_val + k
else:
do_test = True
if not test_zero:
if k == 0:
do_test = False
if do_test and isinstance(k, int) and item & k == k:
ret_val.append(v)
else:
return "Invalid Value: No lookup passed"
return ret_val
@classmethod
def _multi_string_put_transform(cls, item, **kwargs):
"""
transform for setting REG_MULTI_SZ to properly handle "Not Defined"
"""
if isinstance(item, list):
return item
elif isinstance(item, str):
if item.lower() == "not defined":
return None
else:
return item.split(",")
else:
return "Invalid Value"
@classmethod
def _multi_string_get_transform(cls, item, **kwargs):
"""
transform for getting REG_MULTI_SZ to properly handle `None`
"""
if isinstance(item, list):
return item
elif item is None:
return "Not Defined"
else:
return "Invalid Value"
@classmethod
def _string_put_transform(cls, item, **kwargs):
"""
transform for a REG_SZ to properly handle "Not Defined"
"""
if isinstance(item, str):
if item.lower() == "not defined":
return None
else:
return item
def __virtual__():
"""
Only works on Windows systems
"""
if not salt.utils.platform.is_windows():
return False, "win_lgpo: Not a Windows System"
if not HAS_WINDOWS_MODULES:
return False, "win_lgpo: Required modules failed to load"
return __virtualname__
def _updateNamespace(item, new_namespace):
"""
helper function to recursively update the namespaces of an item
"""
temp_item = ""
i = item.tag.find("}")
if i >= 0:
temp_item = item.tag[i + 1 :]
else:
temp_item = item.tag
item.tag = f"{{{new_namespace}}}{temp_item}"
for child in item.getiterator():
if isinstance(child.tag, str):
temp_item = ""
i = child.tag.find("}")
if i >= 0:
temp_item = child.tag[i + 1 :]
else:
temp_item = child.tag
child.tag = f"{{{new_namespace}}}{temp_item}"
return item
def _updatePolicyElements(policy_item, regkey):
"""
helper function to add the reg key to each policies element definitions if
the key attribute is not defined to make xpath searching easier for each
child in the policy <elements> item
"""
for child in policy_item.getiterator():
if "valueName" in child.attrib:
if "key" not in child.attrib:
child.attrib["key"] = regkey
return policy_item
def _remove_unicode_encoding(xml_file):
"""
attempts to remove the "encoding='unicode'" from an xml file
as lxml does not support that on a windows node currently
see issue #38100 (Search.adml)
For some reason this file is encoded 'utf-16'
"""
with salt.utils.files.fopen(xml_file, "rb") as f:
xml_content = f.read()
modified_xml = re.sub(
r' encoding=[\'"]+unicode[\'"]+', "", xml_content.decode("utf-16"), count=1
)
xml_tree = lxml.etree.parse(io.StringIO(modified_xml))
return xml_tree
def _remove_invalid_xmlns(xml_file):
"""
Attempts to remove an invalid xmlns entry in newer versions of
WindowsDefender.adml
xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions"
For some reason this file is encoded 'utf-8'
"""
with salt.utils.files.fopen(xml_file, "rb") as f:
xml_content = f.read()
modified_xml = re.sub(
r' xmlns=[\'"]+.*[\'"]+', "", xml_content.decode("utf-8"), count=1
)
xml_tree = lxml.etree.parse(io.StringIO(modified_xml))
return xml_tree
def _parse_xml(adm_file):
"""
Parse the admx/adml file. There are 3 scenarios (so far) that we'll likely
encounter:
1. Valid File
2. invalid encoding (encoding="unicode") which the lxml library doesn't
recognize
3. invalid xmlns entry in the xml header, which the lxml library doesn't
recognize
"""
parser = lxml.etree.XMLParser(remove_comments=True)
modified_xml = ""
with salt.utils.files.fopen(adm_file, "rb") as rfh:
file_hash = f"{zlib.crc32(rfh.read()) & 0xFFFFFFFF:X}"
name, ext = os.path.splitext(os.path.basename(adm_file))
hashed_filename = f"{name}-{file_hash}{ext}"
cache_dir = os.path.join(__opts__["cachedir"], "lgpo", "policy_defs")
if not os.path.exists(cache_dir):
os.makedirs(cache_dir)
out_file = os.path.join(cache_dir, hashed_filename)
if not os.path.isfile(out_file):
log.debug("LGPO: Generating policy template cache for %s%s", name, ext)
# Remove old files, keep the cache clean
file_list = glob.glob(os.path.join(cache_dir, f"{name}*{ext}"))
for file_path in file_list:
os.remove(file_path)
# Lowercase all the keys
with salt.utils.files.fopen(adm_file, "rb") as rfh:
encoding = "utf-8"
raw = rfh.read()
try:
raw = raw.decode(encoding)
except UnicodeDecodeError:
log.trace("LGPO: Detecting encoding")
encoding = "utf-16"
raw = raw.decode(encoding)
for line in raw.split("\r\n"):
if 'key="' in line:
start = line.index('key="')
q1 = line[start:].index('"') + start
q2 = line[q1 + 1 :].index('"') + q1 + 1
line = line.replace(line[start:q2], line[start:q2].lower())
found_key = True
modified_xml += line + "\r\n"
# Convert smart quotes to regular quotes
modified_xml = modified_xml.replace("\u201c", '"').replace("\u201d", '"')
modified_xml = modified_xml.replace("\u2018", "'").replace("\u2019", "'")
# Convert em dash and en dash to dash
modified_xml = modified_xml.replace("\u2013", "-").replace("\u2014", "-")
with salt.utils.files.fopen(out_file, "wb") as wfh:
wfh.write(modified_xml.encode(encoding))
try:
# First we'll try to parse valid xml
xml_tree = lxml.etree.parse(out_file, parser=parser)
except lxml.etree.XMLSyntaxError:
try:
# Next we'll try invalid encoding (see issue #38100)
xml_tree = _remove_unicode_encoding(out_file)
except lxml.etree.XMLSyntaxError:
# Finally we'll try invalid xmlns entry, if this fails, we just want
# to raise the error
xml_tree = _remove_invalid_xmlns(out_file)
return xml_tree
def _load_policy_definitions(path="c:\\Windows\\PolicyDefinitions", language="en-US"):
"""
helper function to process all ADMX files in the specified policy_def_path
and build a single XML doc that we can search/use for ADMX policy processing
"""
# Fallback to the System Install Language
display_language_fallback = INSTALL_LANGUAGE
t_policy_definitions = lxml.etree.Element("policyDefinitions")
t_policy_definitions.append(lxml.etree.Element("categories"))
t_policy_definitions.append(lxml.etree.Element("policies"))
t_policy_definitions.append(lxml.etree.Element("policyNamespaces"))
t_policy_definition_resources = lxml.etree.Element("policyDefinitionResources")
policydefs_policies_xpath = etree.XPath("/policyDefinitions/policies")
policydefs_categories_xpath = etree.XPath("/policyDefinitions/categories")
policydefs_policyns_xpath = etree.XPath("/policyDefinitions/policyNamespaces")
policydefs_resources_localname_xpath = etree.XPath(
'//*[local-name() = "policyDefinitionResources"]/*'
)
policydef_resources_xpath = etree.XPath("/policyDefinitionResources")
for root, dirs, files in salt.utils.path.os_walk(path):
if root == path:
for t_admx_file in files:
admx_file_name, admx_file_ext = os.path.splitext(t_admx_file)
# Only process ADMX files, any other file will cause a
# stacktrace later on
if not admx_file_ext == ".admx":
log.debug("%s is not an ADMX file", t_admx_file)
continue
admx_file = os.path.join(root, t_admx_file)
# Parse xml for the ADMX file
try:
xml_tree = _parse_xml(admx_file)
except lxml.etree.XMLSyntaxError:
log.error(
"An error was found while processing admx "
"file %s, all policies from this file will "
"be unavailable via this module",
admx_file,
)
continue
namespaces = xml_tree.getroot().nsmap
namespace_string = ""
if None in namespaces:
namespaces["None"] = namespaces[None]
namespaces.pop(None)
namespace_string = "None:"
this_namespace = xml_tree.xpath(
"/{0}policyDefinitions/{0}policyNamespaces/{0}target/@namespace".format(
namespace_string
),
namespaces=namespaces,
)[0]
categories = xml_tree.xpath(
"/{0}policyDefinitions/{0}categories/{0}category".format(
namespace_string
),
namespaces=namespaces,
)
for category in categories:
temp_cat = category
temp_cat = _updateNamespace(temp_cat, this_namespace)
policydefs_categories_xpath(t_policy_definitions)[0].append(
temp_cat
)
policies = xml_tree.xpath(
"/{0}policyDefinitions/{0}policies/{0}policy".format(
namespace_string
),
namespaces=namespaces,
)
for policy in policies:
temp_pol = policy
temp_pol = _updateNamespace(temp_pol, this_namespace)
if "key" in temp_pol.attrib:
temp_pol = _updatePolicyElements(
temp_pol, temp_pol.attrib["key"]
)
policydefs_policies_xpath(t_policy_definitions)[0].append(temp_pol)
policy_namespaces = xml_tree.xpath(
"/{0}policyDefinitions/{0}policyNamespaces/{0}*".format(
namespace_string
),
namespaces=namespaces,
)
for policy_ns in policy_namespaces:
temp_ns = policy_ns
temp_ns = _updateNamespace(temp_ns, this_namespace)
policydefs_policyns_xpath(t_policy_definitions)[0].append(temp_ns)
# We need to make sure the adml file exists. First we'll check
# the passed language (eg: en-US). Then we'll try the
# abbreviated version (en) to account for alternate locations.
# We'll do the same for the display_language_fallback (en_US).
adml_file = os.path.join(root, language, admx_file_name + ".adml")
if not __salt__["file.file_exists"](adml_file):
log.info(
"An ADML file in the specified ADML language "
'"%s" does not exist for the ADMX "%s", the '
"the abbreviated language code will be tried.",
language,
t_admx_file,
)
adml_file = os.path.join(
root, language.split("-")[0], admx_file_name + ".adml"
)
if not __salt__["file.file_exists"](adml_file):
log.info(
"An ADML file in the specified ADML language "
'code %s does not exist for the ADMX "%s", '
"the fallback language will be tried.",
language[:2],
t_admx_file,
)
adml_file = os.path.join(
root, display_language_fallback, admx_file_name + ".adml"
)
if not __salt__["file.file_exists"](adml_file):
log.info(
"An ADML file in the specified ADML "
'fallback language "%s" '
'does not exist for the ADMX "%s" '
"the abbreviated fallback language code "
"will be tried.",
display_language_fallback,
t_admx_file,
)
adml_file = os.path.join(
root,
display_language_fallback.split("-")[0],
admx_file_name + ".adml",
)
if not __salt__["file.file_exists"](adml_file):
raise SaltInvocationError(
"An ADML file in the specified ADML language "
'"{}" and the fallback language "{}" do not '
'exist for the ADMX "{}".'.format(
language, display_language_fallback, t_admx_file
)
)
# Parse xml for the ADML file
try:
xml_tree = _parse_xml(adml_file)
except lxml.etree.XMLSyntaxError:
log.error(
"An error was found while processing adml "
"file %s, all policies from this file will "
"be unavailable via this module",
adml_file,
)
continue
if None in namespaces:
namespaces["None"] = namespaces[None]
namespaces.pop(None)
policydefs_resources = policydefs_resources_localname_xpath(xml_tree)
for policydefs_resource in policydefs_resources:
t_poldef = policydefs_resource
t_poldef = _updateNamespace(t_poldef, this_namespace)
policydef_resources_xpath(t_policy_definition_resources)[0].append(
t_poldef
)
__context__["lgpo.policy_definitions"] = t_policy_definitions
__context__["lgpo.policy_resources"] = t_policy_definition_resources
def _get_policy_definitions(path="c:\\Windows\\PolicyDefinitions", language="en-US"):
if "lgpo.policy_definitions" not in __context__:
log.debug("LGPO: Loading policy definitions")
_load_policy_definitions(path=path, language=language)
return __context__["lgpo.policy_definitions"]
def clear_policy_cache():
"""
Clears the policy definitions and resource stored in ``__context__``. They
will be rebuilt the next time a policy is applied.
CLI Example:
.. code-block:: bash
salt '*' lgpo.clear_policy_cache
"""
if "lgpo.policy_definitions" in __context__:
log.debug("LGPO: Removing cached policy definitions")
__context__.pop("lgpo.policy_definitions")
if "lgpo.policy_resources" in __context__:
log.debug("LGPO: Removing cached policy resources")
__context__.pop("lgpo.policy_resources")
def _get_policy_resources(path="c:\\Windows\\PolicyDefinitions", language="en-US"):
if "lgpo.policy_resources" not in __context__:
log.debug("LGPO: Loading policy resources")
_load_policy_definitions(path=path, language=language)
return __context__["lgpo.policy_resources"]
def _buildElementNsmap(using_elements):
"""
build a namespace map for an ADMX element
"""
thisMap = {}
for e in using_elements:
thisMap[e.attrib["prefix"]] = e.attrib["namespace"]
return thisMap
def _get_advaudit_defaults(option=None):
"""
Loads audit.csv defaults into a dict in __context__ called
'lgpo.audit_defaults'. The dictionary includes fieldnames and all
configurable policies as keys. The values are used to create/modify the
``audit.csv`` file. The first entry is `fieldnames` used to create the
header for the csv file. The rest of the entries are the audit policy names.
Sample data follows:
{
'fieldnames': ['Machine Name',
'Policy Target',
'Subcategory',
'Subcategory GUID',
'Inclusion Setting',
'Exclusion Setting',
'Setting Value'],
'Audit Sensitive Privilege Use': {'Auditpol Name': 'Sensitive Privilege Use',
'Exclusion Setting': '',
'Inclusion Setting': 'No Auditing',
'Machine Name': 'WIN-8FGT3E045SE',
'Policy Target': 'System',
'Setting Value': '0',
'Subcategory': u'Audit Sensitive Privilege Use',
'Subcategory GUID': '{0CCE9228-69AE-11D9-BED3-505054503030}'},
'Audit Special Logon': {'Auditpol Name': 'Special Logon',
'Exclusion Setting': '',
'Inclusion Setting': 'No Auditing',
'Machine Name': 'WIN-8FGT3E045SE',
'Policy Target': 'System',
'Setting Value': '0',
'Subcategory': u'Audit Special Logon',
'Subcategory GUID': '{0CCE921B-69AE-11D9-BED3-505054503030}'},
'Audit System Integrity': {'Auditpol Name': 'System Integrity',
'Exclusion Setting': '',
'Inclusion Setting': 'No Auditing',
'Machine Name': 'WIN-8FGT3E045SE',
'Policy Target': 'System',
'Setting Value': '0',
'Subcategory': u'Audit System Integrity',
'Subcategory GUID': '{0CCE9212-69AE-11D9-BED3-505054503030}'},
...
}
.. note::
`Auditpol Name` designates the value to use when setting the value with
the auditpol command
Args:
option (str): The item from the dictionary to return. If ``None`` the
entire dictionary is returned. Default is ``None``
Returns:
dict: If ``None`` or one of the audit settings is passed
list: If ``fieldnames`` is passed
"""
if "lgpo.audit_defaults" not in __context__:
# Get available setting names and GUIDs
# This is used to get the fieldnames and GUIDs for individual policies
log.debug("Loading auditpol defaults into __context__")
dump = __utils__["auditpol.get_auditpol_dump"]()
reader = csv.DictReader(dump)
audit_defaults = {"fieldnames": reader.fieldnames}
for row in reader:
row["Machine Name"] = ""
row["Auditpol Name"] = row["Subcategory"]
# Special handling for snowflake scenarios where the audit.csv names
# don't match the auditpol names
if row["Subcategory"] == "Central Policy Staging":
row["Subcategory"] = "Audit Central Access Policy Staging"
elif row["Subcategory"] == "Plug and Play Events":
row["Subcategory"] = "Audit PNP Activity"
elif row["Subcategory"] == "Token Right Adjusted Events":
row["Subcategory"] = "Audit Token Right Adjusted"
else:
row["Subcategory"] = "Audit {}".format(row["Subcategory"])
audit_defaults[row["Subcategory"]] = row
__context__["lgpo.audit_defaults"] = audit_defaults
if option:
return __context__["lgpo.audit_defaults"][option]
else:
return __context__["lgpo.audit_defaults"]
def _advaudit_check_csv():
"""
This function checks for the existence of the `audit.csv` file here:
`C:\\Windows\\security\\audit`
If the file does not exist, then it copies the `audit.csv` file from the
Group Policy location:
`C:\\Windows\\System32\\GroupPolicy\\Machine\\Microsoft\\Windows NT\\Audit`
If there is no `audit.csv` in either location, then a default `audit.csv`
file is created.
"""
system_root = os.environ.get("SystemRoot", "C:\\Windows")
f_audit = os.path.join(system_root, "security", "audit", "audit.csv")
f_audit_gpo = os.path.join(
system_root,
"System32",
"GroupPolicy",
"Machine",
"Microsoft",
"Windows NT",
"Audit",
"audit.csv",
)
# Make sure there is an existing audit.csv file on the machine
if not __salt__["file.file_exists"](f_audit):
if __salt__["file.file_exists"](f_audit_gpo):
# If the GPO audit.csv exists, we'll use that one
__salt__["file.copy"](f_audit_gpo, f_audit)
else:
field_names = _get_advaudit_defaults("fieldnames")
# If the file doesn't exist anywhere, create it with default
# fieldnames
__salt__["file.makedirs"](f_audit)
__salt__["file.write"](f_audit, ",".join(field_names))
def _get_advaudit_value(option, refresh=False):
"""
Get the Advanced Auditing policy as configured in
``C:\\Windows\\Security\\Audit\\audit.csv``
Args:
option (str):
The name of the setting as it appears in audit.csv
refresh (bool):
Refresh secedit data stored in __context__. This is needed for
testing where the state is setting the value, but the module that
is checking the value has its own __context__.
Returns:
bool: ``True`` if successful, otherwise ``False``
"""
if "lgpo.adv_audit_data" not in __context__ or refresh is True:
system_root = os.environ.get("SystemRoot", "C:\\Windows")
f_audit = os.path.join(system_root, "security", "audit", "audit.csv")
# Make sure the csv file exists before trying to open it
_advaudit_check_csv()
audit_settings = {}
with salt.utils.files.fopen(f_audit, mode="r") as csv_file:
reader = csv.DictReader(csv_file)
for row in reader:
audit_settings.update({row["Subcategory"]: row["Setting Value"]})
__context__["lgpo.adv_audit_data"] = audit_settings
return __context__["lgpo.adv_audit_data"].get(option, None)
def _set_advaudit_file_data(option, value):
"""
Helper function that sets the Advanced Audit settings in the two .csv files
on Windows. Those files are located at:
C:\\Windows\\Security\\Audit\\audit.csv
C:\\Windows\\System32\\GroupPolicy\\Machine\\Microsoft\\Windows NT\\Audit\\audit.csv
Args:
option (str): The name of the option to set
value (str): The value to set. ['None', '0', '1', '2', '3']
Returns:
bool: ``True`` if successful, otherwise ``False``
"""
# Set up some paths here
system_root = os.environ.get("SystemRoot", "C:\\Windows")
f_audit = os.path.join(system_root, "security", "audit", "audit.csv")
f_audit_gpo = os.path.join(
system_root,
"System32",
"GroupPolicy",
"Machine",
"Microsoft",
"Windows NT",
"Audit",
"audit.csv",
)
f_temp = tempfile.NamedTemporaryFile(
mode="w", delete=False, suffix=".csv", prefix="audit"
)
# Lookup dict for "Inclusion Setting" field
auditpol_values = {
"None": "No Auditing",
"0": "No Auditing",
"1": "Success",
"2": "Failure",
"3": "Success and Failure",
}
# Make sure the csv file exists before trying to open it
_advaudit_check_csv()
try:
# Open the existing audit.csv and load the csv `reader`
with salt.utils.files.fopen(f_audit, mode="r") as csv_file:
reader = csv.DictReader(csv_file)
# Open the temporary .csv and load the csv `writer`
with salt.utils.files.fopen(f_temp.name, mode="w") as tmp_file:
writer = csv.DictWriter(tmp_file, fieldnames=reader.fieldnames)
# Write the header values (labels)
writer.writeheader()
value_written = False
# Loop through the current audit.csv and write the changes to
# the temp csv file for existing settings
for row in reader:
# If the row matches the value we're setting, update it with
# the new value
if row["Subcategory"] == option:
if not value == "None":
# The value is not None, make the change
row["Inclusion Setting"] = auditpol_values[value]
row["Setting Value"] = value
log.trace("LGPO: Setting %s to %s", option, value)
writer.writerow(row)
else:
# value is None, remove it by not writing it to the
# temp file
log.trace("LGPO: Removing %s", option)
value_written = True
# If it's not the value we're setting, just write it
else:
writer.writerow(row)
# If a value was not written, it is a new setting not found in
# the existing audit.cvs file. Add the new setting with values
# from the defaults
if not value_written:
if not value == "None":
# value is not None, write the new value
log.trace("LGPO: Setting %s to %s", option, value)
defaults = _get_advaudit_defaults(option)
writer.writerow(
{
"Machine Name": defaults["Machine Name"],
"Policy Target": defaults["Policy Target"],
"Subcategory": defaults["Subcategory"],
"Subcategory GUID": defaults["Subcategory GUID"],
"Inclusion Setting": auditpol_values[value],
"Exclusion Setting": defaults["Exclusion Setting"],
"Setting Value": value,
}
)
value_written = True
if value_written:
# Copy the temporary csv file over the existing audit.csv in both
# locations if a value was written
__salt__["file.copy"](f_temp.name, f_audit, remove_existing=True)
__salt__["file.makedirs"](f_audit_gpo)
__salt__["file.copy"](f_temp.name, f_audit_gpo, remove_existing=True)
finally:
f_temp.close()
__salt__["file.remove"](f_temp.name)
return value_written
def _set_advaudit_pol_data(option, value):
"""
Helper function that updates the current applied settings to match what has
just been set in the audit.csv files. We're doing it this way instead of
running `gpupdate`
Args:
option (str): The name of the option to set
value (str): The value to set. ['None', '0', '1', '2', '3']
Returns:
bool: ``True`` if successful, otherwise ``False``
"""
auditpol_values = {
"None": "No Auditing",
"0": "No Auditing",
"1": "Success",
"2": "Failure",
"3": "Success and Failure",
}
defaults = _get_advaudit_defaults(option)
return __utils__["auditpol.set_setting"](
name=defaults["Auditpol Name"], value=auditpol_values[value]
)
def _set_advaudit_value(option, value):
"""
Helper function to update the Advanced Audit policy on the machine. This
function modifies the two ``audit.csv`` files in the following locations:
C:\\Windows\\Security\\Audit\\audit.csv
C:\\Windows\\System32\\GroupPolicy\\Machine\\Microsoft\\Windows NT\\Audit\\audit.csv
Then it applies those settings using ``auditpol``
After that, it updates ``__context__`` with the new setting
Args:
option (str): The name of the option to set
value (str): The value to set. ['None', '0', '1', '2', '3']
Returns:
bool: ``True`` if successful, otherwise ``False``
"""
# Set the values in both audit.csv files
if not _set_advaudit_file_data(option=option, value=value):
raise CommandExecutionError(f"Failed to set audit.csv option: {option}")
# Apply the settings locally
if not _set_advaudit_pol_data(option=option, value=value):
# Only log this error, it will be in effect the next time the machine
# updates its policy
log.error(
"Failed to apply audit setting: %s\n"
"Policy will take effect on next GPO update",
option,
)
# Make sure lgpo.adv_audit_data is loaded
if "lgpo.adv_audit_data" not in __context__:
_get_advaudit_value(option)
# Update __context__
if value is None:
log.debug("LGPO: Removing Advanced Audit data: %s", option)
__context__["lgpo.adv_audit_data"].pop(option)
else:
log.debug("LGPO: Updating Advanced Audit data: %s: %s", option, value)
__context__["lgpo.adv_audit_data"][option] = value
return True
def _get_netsh_value(profile, option):
if "lgpo.netsh_data" not in __context__:
__context__["lgpo.netsh_data"] = {}
if profile not in __context__["lgpo.netsh_data"]:
log.debug("LGPO: Loading netsh data for %s profile", profile)
settings = salt.utils.win_lgpo_netsh.get_all_settings(
profile=profile, store="lgpo"
)
__context__["lgpo.netsh_data"].update({profile: settings})
log.trace(
"LGPO: netsh returning value: %s",
__context__["lgpo.netsh_data"][profile][option],
)
return __context__["lgpo.netsh_data"][profile][option]
def _set_netsh_value(profile, section, option, value):
if section not in ("firewallpolicy", "settings", "logging", "state"):
raise ValueError(f"LGPO: Invalid section: {section}")
log.trace(
"LGPO: Setting the following\nProfile: %s\nSection: %s\nOption: %s\nValue: %s",
profile,
section,
option,
value,
)
if section == "firewallpolicy":
salt.utils.win_lgpo_netsh.set_firewall_settings(
profile=profile,
inbound=value if option == "Inbound" else None,
outbound=value if option == "Outbound" else None,
store="lgpo",
)
if section == "settings":
salt.utils.win_lgpo_netsh.set_settings(
profile=profile, setting=option, value=value, store="lgpo"
)
if section == "state":
salt.utils.win_lgpo_netsh.set_state(profile=profile, state=value, store="lgpo")
if section == "logging":
if option in ("FileName", "MaxFileSize"):
if value == "Not configured":
value = "notconfigured"
# Trim log for the two logging options
if option.startswith("Log"):
option = option[3:]
salt.utils.win_lgpo_netsh.set_logging_settings(
profile=profile, setting=option, value=value, store="lgpo"
)
log.trace("LGPO: Clearing netsh data for %s profile", profile)
__context__["lgpo.netsh_data"].pop(profile)
return True
def _load_secedit_data():
"""
Helper function that loads secedit data. It runs `secedit /export /cfg
<file_name>` which creates a file that contains the secedit data.
Returns:
str: The contents of the file generated by the secedit command
"""
f_exp = os.path.join(__opts__["cachedir"], f"secedit-{UUID}.txt")
try:
__salt__["cmd.run"](["secedit", "/export", "/cfg", f_exp])
with salt.utils.files.fopen(f_exp, encoding="utf-16") as fp:
secedit_data = fp.readlines()
return secedit_data
finally:
if __salt__["file.file_exists"](f_exp):
__salt__["file.remove"](f_exp)
def _get_secedit_data(refresh=False):
"""
Helper function that returns the secedit data in __context__ if it exists
and puts the secedit data in __context__ if it does not.
Args:
refresh (bool):
Refresh secedit data stored in __context__. This is needed for
testing where the state is setting the value, but the module that
is checking the value has its own __context__.
Returns:
str: secedit data from __context__
"""
if "lgpo.secedit_data" not in __context__ or refresh is True:
log.debug("LGPO: Loading secedit data")
__context__["lgpo.secedit_data"] = _load_secedit_data()
return __context__["lgpo.secedit_data"]
def _get_secedit_value(option):
"""
Helper function that looks for the passed option in the secedit data
"""
secedit_data = _get_secedit_data()
for _line in secedit_data:
if _line.startswith(option):
return _line.split("=")[1].strip()
return "Not Defined"
def _write_secedit_data(inf_data):
"""
Helper function to write secedit data to the database
"""
# Set file names
# The database must persist in order for the settings to remain in effect
f_sdb = os.path.join(os.getenv("WINDIR"), "security", "database", "salt.sdb")
f_inf = os.path.join(__opts__["cachedir"], f"secedit-{UUID}.inf")
try:
# Write the changes to the inf file
with salt.utils.files.fopen(f_inf, "w", encoding="utf-16") as fp:
fp.write(inf_data)
# Import the template data into a database
cmd = ["secedit", "/import", "/db", f_sdb, "/cfg", f_inf]
retcode = __salt__["cmd.retcode"](cmd)
if not retcode == 0:
log.debug("Secedit failed to import template data")
return False
# Apply the security database
cmd = ["secedit", "/configure", "/db", f_sdb]
retcode = __salt__["cmd.retcode"](cmd)
if not retcode == 0:
log.debug("Secedit failed to apply security database")
return False
# Pop secedit data so it will always be current
__context__.pop("lgpo.secedit_data", None)
return True
finally:
# Cleanup our scratch files, but not the database file
if __salt__["file.file_exists"](f_inf):
__salt__["file.remove"](f_inf)
def _transform_value(value, policy, transform_type):
"""
helper function to transform the policy value into something that more
closely matches how the policy is displayed in the gpedit GUI
"""
t_kwargs = {}
if "Transform" in policy:
if transform_type in policy["Transform"]:
_policydata = _policy_info()
if transform_type + "Args" in policy["Transform"]:
t_kwargs = policy["Transform"][transform_type + "Args"]
return getattr(_policydata, policy["Transform"][transform_type])(
value, **t_kwargs
)
else:
return value
else:
if "Registry" in policy:
if value == "(value not set)":
return "Not Defined"
return value
def _validateSetting(value, policy):
"""
helper function to validate specified value is appropriate for the policy
if the 'Settings' key is a list, the value will check that it is in the list
if the 'Settings' key is a dict we will try to execute the function name
from the 'Function' key, passing the value and additional arguments from
the 'Args' dict
if the 'Settings' key is None, we won't do any validation and just return
True
if the Policy has 'Children', we'll validate their settings too
"""
log.debug("validating %s for policy %s", value, policy)
if "Settings" in policy:
if policy["Settings"]:
if isinstance(policy["Settings"], list):
if value not in policy["Settings"]:
return False
elif isinstance(policy["Settings"], dict):
_policydata = _policy_info()
if not getattr(_policydata, policy["Settings"]["Function"])(
value, **policy["Settings"]["Args"]
):
return False
else:
return True
return True
def _addAccountRights(sidObject, user_right):
"""
helper function to add an account right to a user
"""
try:
if sidObject:
_polHandle = win32security.LsaOpenPolicy(
None, win32security.POLICY_ALL_ACCESS
)
user_rights_list = [user_right]
_ret = win32security.LsaAddAccountRights(
_polHandle, sidObject, user_rights_list
)
return True
# TODO: This needs to be more specific
except Exception as e: # pylint: disable=broad-except
log.exception("Error attempting to add account right, exception was %s", e)
return False
def _delAccountRights(sidObject, user_right):
"""
helper function to remove an account right from a user
"""
try:
_polHandle = win32security.LsaOpenPolicy(None, win32security.POLICY_ALL_ACCESS)
user_rights_list = [user_right]
_ret = win32security.LsaRemoveAccountRights(
_polHandle, sidObject, False, user_rights_list
)
return True
except Exception as e: # pylint: disable=broad-except
log.exception("Error attempting to delete account right")
return False
def _getRightsAssignments(user_right):
"""
helper function to return all the user rights assignments/users
"""
sids = []
polHandle = win32security.LsaOpenPolicy(None, win32security.POLICY_ALL_ACCESS)
sids = win32security.LsaEnumerateAccountsWithUserRight(polHandle, user_right)
return sids
def _getAdmlDisplayName(adml_xml_data, display_name):
"""
helper function to take the 'displayName' attribute of an element and find
the value from the ADML data
adml_xml_data :: XML data of all ADML files to search
display_name :: the value of the displayName attribute from the ADMX entry
to search the ADML data for
"""
if display_name.startswith("$(") and display_name.endswith(")"):
display_name = re.sub(r"(^\$\(|\)$)", "", display_name)
display_name = display_name.split(".")
displayname_type = display_name[0]
displayname_id = display_name[1]
search_results = ADML_DISPLAY_NAME_XPATH(
adml_xml_data,
displayNameType=displayname_type,
displayNameId=displayname_id,
)
if search_results:
for result in search_results:
# Needs the `strip()` because some adml data has an extra space
# at the end
return result.text.strip()
return None
def _getAdmlPresentationRefId(adml_data, ref_id):
"""
helper function to check for a presentation label for a policy element
"""
search_results = adml_data.xpath(f'//*[@*[local-name() = "refId"] = "{ref_id}"]')
alternate_label = ""
if search_results:
for result in search_results:
the_localname = etree.QName(result.tag).localname
# We want to prefer result.text as the label, however, if it is none
# we will fall back to this method for getting the label
# Brings some code back from:
# https://github.com/saltstack/salt/pull/55823/files#diff-b2e4dac5ccc17ab548f245371ec5d6faL5658
if result.text is None:
# Get the label from the text element above the referenced
# element. For example:
# --- taken from AppPrivacy.adml ---
# <text>Force allow these specific apps (use Package Family Names):</text>
# <multiTextBox refId="LetAppsSyncWithDevices_ForceAllowTheseApps_List"/>
# In this case, the label for the refId is the text element
# above it.
presentation_element = PRESENTATION_ANCESTOR_XPATH(result)
if presentation_element:
presentation_element = presentation_element[0]
if TEXT_ELEMENT_XPATH(presentation_element):
for p_item in presentation_element:
if p_item == result:
break
if etree.QName(p_item.tag).localname == "text":
if getattr(p_item, "text"):
alternate_label = getattr(p_item, "text").rstrip()
if alternate_label.endswith("."):
alternate_label = ""
if the_localname in ["textBox", "comboBox"]:
label_items = result.xpath('.//*[local-name() = "label"]')
for label_item in label_items:
if label_item.text:
return label_item.text.rstrip().rstrip(":")
elif the_localname in [
"decimalTextBox",
"longDecimalTextBox",
"dropdownList",
"listBox",
"checkBox",
"text",
"multiTextBox",
]:
if result.text:
return result.text.rstrip().rstrip(":").strip()
else:
return alternate_label.rstrip(":").strip()
return None
def _getFullPolicyName(
policy_item, policy_name, return_full_policy_names, adml_language
):
"""
helper function to retrieve the full policy name if needed
"""
if policy_name in adm_policy_name_map[return_full_policy_names]:
return adm_policy_name_map[return_full_policy_names][policy_name]
adml_data = _get_policy_resources(language=adml_language)
if return_full_policy_names and "displayName" in policy_item.attrib:
fullPolicyName = _getAdmlDisplayName(
adml_data, policy_item.attrib["displayName"]
)
if fullPolicyName:
adm_policy_name_map[return_full_policy_names][policy_name] = fullPolicyName
policy_name = fullPolicyName
elif return_full_policy_names and "id" in policy_item.attrib:
fullPolicyName = _getAdmlPresentationRefId(adml_data, policy_item.attrib["id"])
if fullPolicyName:
adm_policy_name_map[return_full_policy_names][policy_name] = fullPolicyName
policy_name = fullPolicyName
policy_name = policy_name.rstrip(":").rstrip()
return policy_name
def _getDataFromRegPolData(search_string, policy_data, return_value_name=False):
"""
helper function to do a search of Policy data from a registry.pol file
returns the "data" field
https://msdn.microsoft.com/en-us/library/aa374407(VS.85).aspx
[key;value;type;size;data]
"""
value = None
values = []
encoded_semicolon = ";".encode("utf-16-le")
if return_value_name:
values = {}
if search_string:
registry = Registry()
if len(search_string.split(encoded_semicolon)) >= 3:
vtype = registry.vtype_reverse[
ord(search_string.split(encoded_semicolon)[2].decode("utf-32-le"))
]
else:
vtype = None
search_string = re.escape(search_string)
matches = re.finditer(search_string, policy_data, re.IGNORECASE)
matches = [m for m in matches]
if matches:
for match in matches:
pol_entry = policy_data[
match.start() : (
policy_data.index("]".encode("utf-16-le"), match.end())
)
].split(encoded_semicolon, 4)
if len(pol_entry) >= 2:
valueName = pol_entry[1].decode("utf-16-le").rstrip(chr(0))
if len(pol_entry) >= 5:
# Sometimes a semicolon-separated value gets split into
# additional elements in the Registry.pol file. For example,
# a value of test1;test2;test3 will be 'test1', 'test2', and
# 'test3' at the end of the Registry.pol file entry
value = encoded_semicolon.join(pol_entry[4:])
if vtype == "REG_DWORD" or vtype == "REG_QWORD":
if value:
if vtype == "REG_DWORD":
for v in struct.unpack(b"I", value):
value = v
elif vtype == "REG_QWORD":
for v in struct.unpack(b"Q", value):
value = v
else:
value = 0
elif vtype == "REG_MULTI_SZ":
value = value.decode("utf-16-le").rstrip(chr(0)).split(chr(0))
else:
value = value.decode("utf-16-le").rstrip(chr(0))
if return_value_name:
log.trace("we want value names and the value")
values[valueName] = value
elif len(matches) > 1:
log.trace("we have multiple matches, we will return a list")
values.append(value)
if values:
value = values
return value
def _checkListItem(
policy_element,
policy_name,
policy_key,
xpath_object,
policy_file_data,
test_items=True,
):
"""
helper function to process an enabled/disabled/true/falseList set
if test_items is True, it will determine if the policy is enabled or
disabled returning True if all items are configured in the registry.pol file
and false if they are not
if test_items is False, the expected strings for the items will be returned
as a list
returns True if the enabled/disabledList is 100% configured in the
registry.pol file, otherwise returns False
"""
xpath_string = (
'.//*[local-name() = "decimal" or local-name() = "delete"'
' or local-name() = "longDecimal" or local-name() = "string"]'
)
value_item_child_xpath = etree.XPath(xpath_string)
expected_strings = []
for list_element in xpath_object(policy_element):
configured_items = 0
required_items = 0
for item in list_element:
required_items = required_items + 1
if "key" in item.attrib:
item_key = item.attrib["key"]
else:
item_key = policy_key
if "valueName" in item.attrib:
item_valuename = item.attrib["valueName"]
else:
log.error(
"%s item with attributes %s in policy %s does not "
'have the required "valueName" attribute',
etree.QName(list_element).localname,
item.attrib,
policy_element.attrib,
)
break
for value_item in value_item_child_xpath(item):
search_string = _processValueItem(
value_item, item_key, item_valuename, policy_element, item
)
if test_items:
if search_reg_pol(re.escape(search_string), policy_file_data):
configured_items = configured_items + 1
log.trace(
"found the search string in the pol file,"
"%s of %s items for policy %s are "
"configured in registry.pol",
configured_items,
required_items,
policy_name,
)
else:
expected_strings.append(search_string)
if test_items:
if required_items > 0 and required_items == configured_items:
log.trace("%s all items are set", policy_name)
return True
if test_items:
return False
else:
return expected_strings
def _checkValueItemParent(
policy_element,
policy_name,
policy_key,
policy_valueName,
xpath_object,
policy_file_data,
check_deleted=False,
test_item=True,
):
"""
helper function to process the parent of a value item object
if test_item is True, it will determine if the policy is enabled/disabled
returns True if the value is configured in the registry.pol file, otherwise returns False
if test_item is False, the expected search string will be returned
value type parents:
boolean: https://msdn.microsoft.com/en-us/library/dn606009(v=vs.85).aspx
enabledValue: https://msdn.microsoft.com/en-us/library/dn606006(v=vs.85).aspx
disabledValue: https://msdn.microsoft.com/en-us/library/dn606001(v=vs.85).aspx
"""
for element in xpath_object(policy_element):
for value_item in element:
search_string = _processValueItem(
value_item,
policy_key,
policy_valueName,
policy_element,
element,
check_deleted=check_deleted,
)
if not test_item:
return search_string
if search_reg_pol(re.escape(search_string), policy_file_data):
log.trace(
"found the search string in the pol file, %s is configured",
policy_name,
)
return True
return False
def _encode_string(value):
encoded_null = chr(0).encode("utf-16-le")
if value is None:
return encoded_null
elif not isinstance(value, str):
# Should we raise an error here, or attempt to cast to a string
raise TypeError(
f"Value {repr(value)} is not a string type\nType: {type(value)}"
)
return b"".join([value.encode("utf-16-le"), encoded_null])
def _buildKnownDataSearchString(
reg_key, reg_valueName, reg_vtype, reg_data, check_deleted=False
):
"""
helper function similar to _processValueItem to build a search string for a
known key/value/type/data
"""
registry = Registry()
this_element_value = None
encoded_semicolon = ";".encode("utf-16-le")
encoded_null = chr(0).encode("utf-16-le")
if reg_key:
reg_key = reg_key.encode("utf-16-le")
if reg_valueName:
reg_valueName = reg_valueName.encode("utf-16-le")
if reg_data and not check_deleted:
if reg_vtype == "REG_DWORD":
this_element_value = struct.pack(b"I", int(reg_data))
elif reg_vtype == "REG_QWORD":
this_element_value = struct.pack(b"Q", int(reg_data))
elif reg_vtype == "REG_SZ":
this_element_value = _encode_string(reg_data)
if check_deleted:
reg_vtype = "REG_SZ"
expected_string = b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
"**del.".encode("utf-16-le"),
reg_valueName,
encoded_null,
encoded_semicolon,
chr(registry.vtype[reg_vtype]).encode("utf-32-le"),
encoded_semicolon,
chr(len(f" {chr(0)}".encode("utf-16-le"))).encode("utf-32-le"),
encoded_semicolon,
" ".encode("utf-16-le"),
encoded_null,
"]".encode("utf-16-le"),
]
)
else:
expected_string = b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
reg_valueName,
encoded_null,
encoded_semicolon,
chr(registry.vtype[reg_vtype]).encode("utf-32-le"),
encoded_semicolon,
chr(len(this_element_value)).encode("utf-32-le"),
encoded_semicolon,
this_element_value,
"]".encode("utf-16-le"),
]
)
return expected_string
def _processValueItem(
element,
reg_key,
reg_valuename,
policy,
parent_element,
check_deleted=False,
this_element_value=None,
):
"""
helper function to process a value type item and generate the expected
string in the Registry.pol file
element - the element to process
reg_key - the registry key associated with the element (some inherit from
their parent policy)
reg_valuename - the registry valueName associated with the element (some
inherit from their parent policy)
policy - the parent policy element
parent_element - the parent element (primarily passed in to differentiate
children of "elements" objects
check_deleted - if the returned expected string should be for a deleted
value
this_element_value - a specific value to place into the expected string
returned for "elements" children whose values are
specified by the user
"""
registry = Registry()
expected_string = None
# https://msdn.microsoft.com/en-us/library/dn606006(v=vs.85).aspx
this_vtype = "REG_SZ"
encoded_semicolon = ";".encode("utf-16-le")
encoded_null = chr(0).encode("utf-16-le")
if reg_key:
reg_key = reg_key.encode("utf-16-le")
if reg_valuename:
reg_valuename = reg_valuename.encode("utf-16-le")
if (
etree.QName(element).localname == "decimal"
and etree.QName(parent_element).localname != "elements"
):
this_vtype = "REG_DWORD"
if "value" in element.attrib:
this_element_value = struct.pack(b"I", int(element.attrib["value"]))
else:
log.error(
"The %s child %s element for the policy with "
'attributes: %s does not have the required "value" '
"attribute. The element attributes are: %s",
etree.QName(parent_element).localname,
etree.QName(element).localname,
policy.attrib,
element.attrib,
)
return None
elif (
etree.QName(element).localname == "longDecimal"
and etree.QName(parent_element).localname != "elements"
):
# WARNING: no longDecimals in current ADMX files included with 2012
# server, so untested/assumed
this_vtype = "REG_QWORD"
if "value" in element.attrib:
this_element_value = struct.pack(b"Q", int(element.attrib["value"]))
else:
log.error(
"The %s child %s element for the policy with "
'attributes: %s does not have the required "value" '
"attribute. The element attributes are: %s",
etree.QName(parent_element).localname,
etree.QName(element).localname,
policy.attrib,
element.attrib,
)
return None
elif etree.QName(element).localname == "string":
this_vtype = "REG_SZ"
this_element_value = _encode_string(element.text)
elif etree.QName(parent_element).localname == "elements":
standard_element_expected_string = True
if etree.QName(element).localname == "boolean":
# a boolean element that has no children will add a REG_DWORD == 1
# on true or delete the value on false
# https://msdn.microsoft.com/en-us/library/dn605978(v=vs.85).aspx
if this_element_value is False:
check_deleted = True
if not check_deleted:
this_vtype = "REG_DWORD"
this_element_value = struct.pack("I", 1)
standard_element_expected_string = False
elif etree.QName(element).localname == "decimal":
# https://msdn.microsoft.com/en-us/library/dn605987(v=vs.85).aspx
this_vtype = "REG_DWORD"
requested_val = this_element_value
if this_element_value is not None:
this_element_value = struct.pack(b"I", int(this_element_value))
if "storeAsText" in element.attrib:
if element.attrib["storeAsText"].lower() == "true":
this_vtype = "REG_SZ"
if requested_val is not None:
this_element_value = str(requested_val).encode("utf-16-le")
if check_deleted:
this_vtype = "REG_SZ"
elif etree.QName(element).localname == "longDecimal":
# https://msdn.microsoft.com/en-us/library/dn606015(v=vs.85).aspx
this_vtype = "REG_QWORD"
requested_val = this_element_value
if this_element_value is not None:
this_element_value = struct.pack(b"Q", int(this_element_value))
if "storeAsText" in element.attrib:
if element.attrib["storeAsText"].lower() == "true":
this_vtype = "REG_SZ"
if requested_val is not None:
this_element_value = str(requested_val).encode("utf-16-le")
elif etree.QName(element).localname == "text":
# https://msdn.microsoft.com/en-us/library/dn605969(v=vs.85).aspx
this_vtype = "REG_SZ"
if "expandable" in element.attrib:
if element.attrib["expandable"].lower() == "true":
this_vtype = "REG_EXPAND_SZ"
if this_element_value is not None:
this_element_value = _encode_string(this_element_value)
elif etree.QName(element).localname == "multiText":
this_vtype = "REG_MULTI_SZ" if not check_deleted else "REG_SZ"
if this_element_value is not None:
this_element_value = "{0}{1}{1}".format(
chr(0).join(this_element_value), chr(0)
)
elif etree.QName(element).localname == "list":
standard_element_expected_string = False
del_keys = b""
element_valuenames = []
element_values = this_element_value
if this_element_value is not None:
element_valuenames = [
str(z) for z in range(1, len(this_element_value) + 1)
]
if "additive" in element.attrib:
if element.attrib["additive"].lower() == "false":
# a delete values will be added before all the other
# value = data pairs
del_keys = b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
"**delvals.".encode("utf-16-le"),
encoded_null,
encoded_semicolon,
chr(registry.vtype[this_vtype]).encode("utf-32-le"),
encoded_semicolon,
chr(len(f" {chr(0)}".encode("utf-16-le"))).encode(
"utf-32-le"
),
encoded_semicolon,
" ".encode("utf-16-le"),
encoded_null,
"]".encode("utf-16-le"),
]
)
if "expandable" in element.attrib:
this_vtype = "REG_EXPAND_SZ"
if element.attrib.get("explicitValue", "false").lower() == "true":
if this_element_value is not None:
element_valuenames = [str(k) for k in this_element_value.keys()]
element_values = [str(v) for v in this_element_value.values()]
elif "valuePrefix" in element.attrib:
# if the valuePrefix attribute exists, the valuenames are <prefix><number>
# most prefixes attributes are empty in the admx files, so the valuenames
# end up being just numbers
if element.attrib["valuePrefix"] != "":
if this_element_value is not None:
element_valuenames = [
"{}{}".format(element.attrib["valuePrefix"], k)
for k in element_valuenames
]
else:
# if there is no valuePrefix attribute, the valuename is the value
if element_values is not None:
element_valuenames = [str(z) for z in element_values]
if not check_deleted:
if this_element_value is not None:
log.trace(
"_processValueItem has an explicit element_value of %s",
this_element_value,
)
expected_string = del_keys
log.trace(
"element_valuenames == %s and element_values == %s",
element_valuenames,
element_values,
)
for i, item in enumerate(element_valuenames):
expected_string = expected_string + b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
element_valuenames[i].encode("utf-16-le"),
encoded_null,
encoded_semicolon,
chr(registry.vtype[this_vtype]).encode("utf-32-le"),
encoded_semicolon,
chr(
len(
f"{element_values[i]}{chr(0)}".encode(
"utf-16-le"
)
)
).encode("utf-32-le"),
encoded_semicolon,
_encode_string(element_values[i]),
"]".encode("utf-16-le"),
]
)
else:
expected_string = del_keys + b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
]
)
else:
expected_string = b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
"**delvals.".encode("utf-16-le"),
encoded_null,
encoded_semicolon,
chr(registry.vtype[this_vtype]).encode("utf-32-le"),
encoded_semicolon,
chr(len(f" {chr(0)}".encode("utf-16-le"))).encode("utf-32-le"),
encoded_semicolon,
" ".encode("utf-16-le"),
encoded_null,
"]".encode("utf-16-le"),
]
)
elif etree.QName(element).localname == "enum":
if this_element_value is not None:
pass
if standard_element_expected_string and not check_deleted:
if this_element_value is not None:
# Sometimes values come in as strings
if isinstance(this_element_value, str):
log.debug("Converting %s to bytes", this_element_value)
this_element_value = this_element_value.encode("utf-32-le")
expected_string = b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
reg_valuename,
encoded_null,
encoded_semicolon,
chr(registry.vtype[this_vtype]).encode("utf-32-le"),
encoded_semicolon,
chr(len(this_element_value)).encode("utf-32-le"),
encoded_semicolon,
this_element_value,
"]".encode("utf-16-le"),
]
)
else:
expected_string = b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
reg_valuename,
encoded_null,
encoded_semicolon,
chr(registry.vtype[this_vtype]).encode("utf-32-le"),
encoded_semicolon,
]
)
if not expected_string:
if etree.QName(element).localname == "delete" or check_deleted:
# delete value
expected_string = b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
"**del.".encode("utf-16-le"),
reg_valuename,
encoded_null,
encoded_semicolon,
chr(registry.vtype[this_vtype]).encode("utf-32-le"),
encoded_semicolon,
chr(len(f" {chr(0)}".encode("utf-16-le"))).encode("utf-32-le"),
encoded_semicolon,
" ".encode("utf-16-le"),
encoded_null,
"]".encode("utf-16-le"),
]
)
else:
expected_string = b"".join(
[
"[".encode("utf-16-le"),
reg_key,
encoded_null,
encoded_semicolon,
reg_valuename,
encoded_null,
encoded_semicolon,
chr(registry.vtype[this_vtype]).encode("utf-32-le"),
encoded_semicolon,
chr(len(this_element_value)).encode("utf-32-le"),
encoded_semicolon,
this_element_value,
"]".encode("utf-16-le"),
]
)
return expected_string
def _checkAllAdmxPolicies(
policy_class,
adml_language="en-US",
return_full_policy_names=False,
hierarchical_return=False,
return_not_configured=False,
):
"""
rewrite of _getAllAdminTemplateSettingsFromRegPolFile where instead of
looking only at the contents of the file, we're going to loop through every
policy and look in the registry.pol file to determine if it is
enabled/disabled/not configured
"""
log.trace("POLICY CLASS == %s", policy_class)
policy_file_data = read_reg_pol_file(CLASS_INFO[policy_class]["policy_path"])
admx_policies = []
policy_vals = {}
hierarchy = {}
full_names = {}
admx_policy_definitions = _get_policy_definitions(language=adml_language)
adml_policy_resources = _get_policy_resources(language=adml_language)
if policy_file_data:
log.trace("POLICY CLASS %s has file data", policy_class)
policy_filedata_split = re.sub(
salt.utils.stringutils.to_bytes(rf"\]{chr(0)}$"),
b"",
re.sub(
salt.utils.stringutils.to_bytes(rf"^\[{chr(0)}"),
b"",
re.sub(
re.escape(REG_POL_HEADER.encode("utf-16-le")),
b"",
policy_file_data,
),
),
).split("][".encode("utf-16-le"))
log.trace("Searching %s policies...", len(policy_filedata_split))
start_time = time.time()
# Get the policy for each item defined in Registry.pol
for policy_item in policy_filedata_split:
policy_item_key = (
policy_item.split(f"{chr(0)};".encode("utf-16-le"))[0]
.decode("utf-16-le")
.lower()
)
if policy_item_key:
# Find the policy definitions with this key
admx_items = REGKEY_XPATH(
admx_policy_definitions, keyvalue=policy_item_key
)
log.trace("Found %s policies for %s", len(admx_items), policy_item_key)
for admx_item in admx_items:
# If this is a policy, append it to admx_policies
if etree.QName(admx_item).localname == "policy":
if admx_item not in admx_policies:
admx_policies.append(admx_item)
else:
# If this is not a policy, find the parent policy for this item
for policy_item in POLICY_ANCESTOR_XPATH(admx_item):
if policy_item not in admx_policies:
admx_policies.append(policy_item)
log.trace("Search complete: %s seconds", time.time() - start_time)
if return_not_configured:
log.trace("Gathering non configured policies")
start_time = time.time()
not_configured_policies = ALL_CLASS_POLICY_XPATH(
admx_policy_definitions, registry_class=policy_class
)
for policy_item in admx_policies:
if policy_item in not_configured_policies:
not_configured_policies.remove(policy_item)
for not_configured_policy in not_configured_policies:
not_configured_policy_namespace = not_configured_policy.nsmap[
not_configured_policy.prefix
]
if not_configured_policy_namespace not in policy_vals:
policy_vals[not_configured_policy_namespace] = {}
policy_vals[not_configured_policy_namespace][
not_configured_policy.attrib["name"]
] = "Not Configured"
if return_full_policy_names:
if not_configured_policy_namespace not in full_names:
full_names[not_configured_policy_namespace] = {}
full_names[not_configured_policy_namespace][
not_configured_policy.attrib["name"]
] = _getFullPolicyName(
policy_item=not_configured_policy,
policy_name=not_configured_policy.attrib["name"],
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
log.trace(
"building hierarchy for non-configured item %s",
not_configured_policy.attrib["name"],
)
if not_configured_policy_namespace not in hierarchy:
hierarchy[not_configured_policy_namespace] = {}
hierarchy[not_configured_policy_namespace][
not_configured_policy.attrib["name"]
] = _build_parent_list(
policy_definition=not_configured_policy,
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
log.trace("Gathering complete: %s seconds", time.time() - start_time)
log.trace("Examining %s policies...", len(admx_policies))
start_time = time.time()
for admx_policy in admx_policies:
this_valuename = None
this_policy_setting = "Not Configured"
element_only_enabled_disabled = True
explicit_enable_disable_value_setting = False
if "key" in admx_policy.attrib:
this_key = admx_policy.attrib["key"]
else:
log.error(
'policy item %s does not have the required "key" attribute',
admx_policy.attrib,
)
break
if "valueName" in admx_policy.attrib:
this_valuename = admx_policy.attrib["valueName"]
if "name" in admx_policy.attrib:
this_policyname = admx_policy.attrib["name"]
else:
log.error(
'policy item %s does not have the required "name" attribute',
admx_policy.attrib,
)
break
this_policynamespace = admx_policy.nsmap[admx_policy.prefix]
if (
ENABLED_VALUE_XPATH(admx_policy)
and this_policy_setting == "Not Configured"
):
# some policies have a disabled list but not an enabled list
# added this to address those issues
if DISABLED_LIST_XPATH(admx_policy) or DISABLED_VALUE_XPATH(
admx_policy
):
element_only_enabled_disabled = False
explicit_enable_disable_value_setting = True
if _checkValueItemParent(
admx_policy,
this_policyname,
this_key,
this_valuename,
ENABLED_VALUE_XPATH,
policy_file_data,
):
this_policy_setting = "Enabled"
log.trace(
"%s is enabled by detected ENABLED_VALUE_XPATH", this_policyname
)
if this_policynamespace not in policy_vals:
policy_vals[this_policynamespace] = {}
policy_vals[this_policynamespace][
this_policyname
] = this_policy_setting
if (
DISABLED_VALUE_XPATH(admx_policy)
and this_policy_setting == "Not Configured"
):
# some policies have a disabled list but not an enabled list
# added this to address those issues
if ENABLED_LIST_XPATH(admx_policy) or ENABLED_VALUE_XPATH(admx_policy):
element_only_enabled_disabled = False
explicit_enable_disable_value_setting = True
if _checkValueItemParent(
admx_policy,
this_policyname,
this_key,
this_valuename,
DISABLED_VALUE_XPATH,
policy_file_data,
):
this_policy_setting = "Disabled"
log.trace(
"%s is disabled by detected DISABLED_VALUE_XPATH",
this_policyname,
)
if this_policynamespace not in policy_vals:
policy_vals[this_policynamespace] = {}
policy_vals[this_policynamespace][
this_policyname
] = this_policy_setting
if (
ENABLED_LIST_XPATH(admx_policy)
and this_policy_setting == "Not Configured"
):
if DISABLED_LIST_XPATH(admx_policy) or DISABLED_VALUE_XPATH(
admx_policy
):
element_only_enabled_disabled = False
explicit_enable_disable_value_setting = True
if _checkListItem(
admx_policy,
this_policyname,
this_key,
ENABLED_LIST_XPATH,
policy_file_data,
):
this_policy_setting = "Enabled"
log.trace(
"%s is enabled by detected ENABLED_LIST_XPATH", this_policyname
)
if this_policynamespace not in policy_vals:
policy_vals[this_policynamespace] = {}
policy_vals[this_policynamespace][
this_policyname
] = this_policy_setting
if (
DISABLED_LIST_XPATH(admx_policy)
and this_policy_setting == "Not Configured"
):
if ENABLED_LIST_XPATH(admx_policy) or ENABLED_VALUE_XPATH(admx_policy):
element_only_enabled_disabled = False
explicit_enable_disable_value_setting = True
if _checkListItem(
admx_policy,
this_policyname,
this_key,
DISABLED_LIST_XPATH,
policy_file_data,
):
this_policy_setting = "Disabled"
log.trace(
"%s is disabled by detected DISABLED_LIST_XPATH",
this_policyname,
)
if this_policynamespace not in policy_vals:
policy_vals[this_policynamespace] = {}
policy_vals[this_policynamespace][
this_policyname
] = this_policy_setting
if not explicit_enable_disable_value_setting and this_valuename:
# the policy has a key/valuename but no explicit enabled/Disabled
# Value or List
# these seem to default to a REG_DWORD 1 = "Enabled" **del. = "Disabled"
if search_reg_pol(
re.escape(
_buildKnownDataSearchString(
this_key, this_valuename, "REG_DWORD", "1"
)
),
policy_file_data,
):
this_policy_setting = "Enabled"
log.trace(
"%s is enabled by no explicit enable/disable list or value",
this_policyname,
)
if this_policynamespace not in policy_vals:
policy_vals[this_policynamespace] = {}
policy_vals[this_policynamespace][
this_policyname
] = this_policy_setting
elif search_reg_pol(
re.escape(
_buildKnownDataSearchString(
this_key,
this_valuename,
"REG_DWORD",
None,
check_deleted=True,
)
),
policy_file_data,
):
this_policy_setting = "Disabled"
log.trace(
"%s is disabled by no explicit enable/disable list or value",
this_policyname,
)
if this_policynamespace not in policy_vals:
policy_vals[this_policynamespace] = {}
policy_vals[this_policynamespace][
this_policyname
] = this_policy_setting
if ELEMENTS_XPATH(admx_policy):
if element_only_enabled_disabled or this_policy_setting == "Enabled":
# TODO does this need to be modified based on the 'required' attribute?
required_elements = {}
configured_elements = {}
policy_disabled_elements = 0
for elements_item in ELEMENTS_XPATH(admx_policy):
for child_item in elements_item:
this_element_name = _getFullPolicyName(
policy_item=child_item,
policy_name=child_item.attrib["id"],
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
required_elements[this_element_name] = None
child_key = child_item.attrib.get("key", this_key)
child_valuename = child_item.attrib.get(
"valueName", this_valuename
)
if etree.QName(child_item).localname == "boolean":
# https://msdn.microsoft.com/en-us/library/dn605978(v=vs.85).aspx
if len(child_item) > 0:
if (
TRUE_VALUE_XPATH(child_item)
and this_element_name not in configured_elements
):
if _checkValueItemParent(
child_item,
this_policyname,
child_key,
child_valuename,
TRUE_VALUE_XPATH,
policy_file_data,
):
configured_elements[this_element_name] = (
True
)
log.trace(
"element %s is configured true",
child_item.attrib["id"],
)
if (
FALSE_VALUE_XPATH(child_item)
and this_element_name not in configured_elements
):
if _checkValueItemParent(
child_item,
this_policyname,
child_key,
child_valuename,
FALSE_VALUE_XPATH,
policy_file_data,
):
configured_elements[this_element_name] = (
False
)
policy_disabled_elements = (
policy_disabled_elements + 1
)
log.trace(
"element %s is configured false",
child_item.attrib["id"],
)
# WARNING - no standard ADMX files use true/falseList
# so this hasn't actually been tested
if (
TRUE_LIST_XPATH(child_item)
and this_element_name not in configured_elements
):
log.trace("checking trueList")
if _checkListItem(
child_item,
this_policyname,
this_key,
TRUE_LIST_XPATH,
policy_file_data,
):
configured_elements[this_element_name] = (
True
)
log.trace(
"element %s is configured true",
child_item.attrib["id"],
)
if (
FALSE_LIST_XPATH(child_item)
and this_element_name not in configured_elements
):
log.trace("checking falseList")
if _checkListItem(
child_item,
this_policyname,
this_key,
FALSE_LIST_XPATH,
policy_file_data,
):
configured_elements[this_element_name] = (
False
)
policy_disabled_elements = (
policy_disabled_elements + 1
)
log.trace(
"element %s is configured false",
child_item.attrib["id"],
)
else:
if search_reg_pol(
re.escape(
_processValueItem(
child_item,
child_key,
child_valuename,
admx_policy,
elements_item,
check_deleted=True,
)
),
policy_file_data,
):
configured_elements[this_element_name] = False
policy_disabled_elements = (
policy_disabled_elements + 1
)
log.trace(
"element %s is configured false",
child_item.attrib["id"],
)
elif search_reg_pol(
re.escape(
_processValueItem(
child_item,
child_key,
child_valuename,
admx_policy,
elements_item,
check_deleted=False,
)
),
policy_file_data,
):
configured_elements[this_element_name] = True
log.trace(
"element %s is configured true",
child_item.attrib["id"],
)
elif (
etree.QName(child_item).localname == "decimal"
or etree.QName(child_item).localname == "text"
or etree.QName(child_item).localname == "longDecimal"
or etree.QName(child_item).localname == "multiText"
):
# https://msdn.microsoft.com/en-us/library/dn605987(v=vs.85).aspx
if search_reg_pol(
re.escape(
_processValueItem(
child_item,
child_key,
child_valuename,
admx_policy,
elements_item,
check_deleted=True,
)
),
policy_file_data,
):
configured_elements[this_element_name] = "Disabled"
policy_disabled_elements = (
policy_disabled_elements + 1
)
log.trace(
"element %s is disabled",
child_item.attrib["id"],
)
elif search_reg_pol(
re.escape(
_processValueItem(
child_item,
child_key,
child_valuename,
admx_policy,
elements_item,
check_deleted=False,
)
),
policy_file_data,
):
configured_value = _getDataFromRegPolData(
_processValueItem(
child_item,
child_key,
child_valuename,
admx_policy,
elements_item,
check_deleted=False,
),
policy_file_data,
)
configured_elements[this_element_name] = (
configured_value
)
log.trace(
"element %s is enabled, value == %s",
child_item.attrib["id"],
configured_value,
)
elif etree.QName(child_item).localname == "enum":
if search_reg_pol(
re.escape(
_processValueItem(
child_item,
child_key,
child_valuename,
admx_policy,
elements_item,
check_deleted=True,
)
),
policy_file_data,
):
log.trace(
"enum element %s is disabled",
child_item.attrib["id"],
)
configured_elements[this_element_name] = "Disabled"
policy_disabled_elements = (
policy_disabled_elements + 1
)
else:
for enum_item in child_item:
if _checkValueItemParent(
enum_item,
child_item.attrib["id"],
child_key,
child_valuename,
VALUE_XPATH,
policy_file_data,
):
if VALUE_LIST_XPATH(enum_item):
log.trace("enum item has a valueList")
if _checkListItem(
enum_item,
this_policyname,
child_key,
VALUE_LIST_XPATH,
policy_file_data,
):
log.trace(
"all valueList items exist in"
" file"
)
configured_elements[
this_element_name
] = _getAdmlDisplayName(
adml_policy_resources,
enum_item.attrib["displayName"],
)
break
else:
configured_elements[
this_element_name
] = _getAdmlDisplayName(
adml_policy_resources,
enum_item.attrib["displayName"],
)
break
elif etree.QName(child_item).localname == "list":
return_value_name = False
if (
"explicitValue" in child_item.attrib
and child_item.attrib["explicitValue"].lower()
== "true"
):
log.trace(
"explicitValue list, we will return value names"
)
return_value_name = True
regex_str = [
r"(?!\*",
r"\*",
"D",
"e",
"l",
"V",
"a",
"l",
"s",
r"\.",
")",
]
delvals_regex = "\x00".join(regex_str)
delvals_regex = salt.utils.stringutils.to_bytes(
delvals_regex
)
if search_reg_pol(
re.escape(
_processValueItem(
child_item,
child_key,
child_valuename,
admx_policy,
elements_item,
check_deleted=False,
)
)
+ delvals_regex,
policy_file_data,
):
configured_value = _getDataFromRegPolData(
_processValueItem(
child_item,
child_key,
child_valuename,
admx_policy,
elements_item,
check_deleted=False,
),
policy_file_data,
return_value_name=return_value_name,
)
configured_elements[this_element_name] = (
configured_value
)
log.trace(
"element %s is enabled values: %s",
child_item.attrib["id"],
configured_value,
)
elif search_reg_pol(
re.escape(
_processValueItem(
child_item,
child_key,
child_valuename,
admx_policy,
elements_item,
check_deleted=True,
)
),
policy_file_data,
):
configured_elements[this_element_name] = "Disabled"
policy_disabled_elements = (
policy_disabled_elements + 1
)
log.trace(
"element %s is disabled",
child_item.attrib["id"],
)
if element_only_enabled_disabled:
if len(required_elements.keys()) > 0 and len(
configured_elements.keys()
) == len(required_elements.keys()):
if policy_disabled_elements == len(
required_elements.keys()
):
log.trace(
"%s is disabled by all enum elements",
this_policyname,
)
if this_policynamespace not in policy_vals:
policy_vals[this_policynamespace] = {}
policy_vals[this_policynamespace][
this_policyname
] = "Disabled"
else:
if this_policynamespace not in policy_vals:
policy_vals[this_policynamespace] = {}
policy_vals[this_policynamespace][
this_policyname
] = configured_elements
log.trace(
"%s is enabled by enum elements", this_policyname
)
else:
if this_policy_setting == "Enabled":
if this_policynamespace not in policy_vals:
policy_vals[this_policynamespace] = {}
policy_vals[this_policynamespace][
this_policyname
] = configured_elements
if (
return_full_policy_names
and this_policynamespace in policy_vals
and this_policyname in policy_vals[this_policynamespace]
):
if this_policynamespace not in full_names:
full_names[this_policynamespace] = {}
full_names[this_policynamespace][this_policyname] = _getFullPolicyName(
policy_item=admx_policy,
policy_name=admx_policy.attrib["name"],
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
# Make sure the we're passing the full policy name
# This issue was found when setting the `Allow Telemetry` setting
# All following states would show a change in this setting
# When the state does its first `lgpo.get` it would return `AllowTelemetry`
# On the second run, it would return `Allow Telemetry`
# This makes sure we're always returning the full_name when required
if (
this_policyname
in policy_vals[this_policynamespace][this_policyname]
):
full_name = full_names[this_policynamespace][this_policyname]
setting = policy_vals[this_policynamespace][this_policyname].pop(
this_policyname
)
policy_vals[this_policynamespace][this_policyname][
full_name
] = setting
if (
this_policynamespace in policy_vals
and this_policyname in policy_vals[this_policynamespace]
):
if this_policynamespace not in hierarchy:
hierarchy[this_policynamespace] = {}
hierarchy[this_policynamespace][this_policyname] = _build_parent_list(
policy_definition=admx_policy,
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
log.trace("Examination complete: %s seconds", time.time() - start_time)
if policy_vals and return_full_policy_names and not hierarchical_return:
log.debug("Compiling non hierarchical return...")
start_time = time.time()
unpathed_dict = {}
pathed_dict = {}
for policy_namespace in list(policy_vals):
for policy_item in list(policy_vals[policy_namespace]):
if (
full_names[policy_namespace][policy_item]
in policy_vals[policy_namespace]
):
# add this item with the path'd full name
full_path_list = hierarchy[policy_namespace][policy_item]
full_path_list.reverse()
full_path_list.append(full_names[policy_namespace][policy_item])
policy_vals["\\".join(full_path_list)] = policy_vals[
policy_namespace
].pop(policy_item)
pathed_dict[full_names[policy_namespace][policy_item]] = True
else:
policy_vals[policy_namespace][
full_names[policy_namespace][policy_item]
] = policy_vals[policy_namespace].pop(policy_item)
if policy_namespace not in unpathed_dict:
unpathed_dict[policy_namespace] = {}
unpathed_dict[policy_namespace][
full_names[policy_namespace][policy_item]
] = policy_item
# go back and remove any "unpathed" policies that need a full path
if policy_namespace in unpathed_dict:
for path_needed in unpathed_dict[policy_namespace]:
# remove the item with the same full name and re-add it w/a path'd version
full_path_list = hierarchy[policy_namespace][
unpathed_dict[policy_namespace][path_needed]
]
full_path_list.reverse()
full_path_list.append(path_needed)
log.trace("full_path_list == %s", full_path_list)
policy_vals["\\".join(full_path_list)] = policy_vals[
policy_namespace
].pop(path_needed)
log.trace("Compilation complete: %s seconds", time.time() - start_time)
for policy_namespace in list(policy_vals):
if policy_vals[policy_namespace] == {}:
policy_vals.pop(policy_namespace)
if policy_vals and hierarchical_return:
if hierarchy:
log.debug("Compiling hierarchical return...")
start_time = time.time()
for policy_namespace in hierarchy:
for hierarchy_item in hierarchy[policy_namespace]:
if hierarchy_item in policy_vals[policy_namespace]:
tdict = {}
first_item = True
for item in hierarchy[policy_namespace][hierarchy_item]:
newdict = {}
if first_item:
h_policy_name = hierarchy_item
if return_full_policy_names:
h_policy_name = full_names[policy_namespace][
hierarchy_item
]
newdict[item] = {
h_policy_name: policy_vals[policy_namespace].pop(
hierarchy_item
)
}
first_item = False
else:
newdict[item] = tdict
tdict = newdict
if tdict:
policy_vals = dictupdate.update(policy_vals, tdict)
if (
policy_namespace in policy_vals
and policy_vals[policy_namespace] == {}
):
policy_vals.pop(policy_namespace)
log.trace("Compilation complete: %s seconds", time.time() - start_time)
policy_vals = {
CLASS_INFO[policy_class]["lgpo_section"]: {
"Administrative Templates": policy_vals
}
}
return policy_vals
def _build_parent_list(policy_definition, return_full_policy_names, adml_language):
"""
helper function to build a list containing parent elements of the ADMX
policy
"""
parent_list = []
policy_namespace = next(iter(policy_definition.nsmap))
parent_category = policy_definition.xpath(
f"{policy_namespace}:parentCategory/@ref",
namespaces=policy_definition.nsmap,
)
admx_policy_definitions = _get_policy_definitions(language=adml_language)
if parent_category:
parent_category = parent_category[0]
nsmap_xpath = "/policyDefinitions/policyNamespaces/{}:*".format(
policy_namespace
)
this_namespace_map = _buildElementNsmap(
admx_policy_definitions.xpath(
nsmap_xpath, namespaces=policy_definition.nsmap
)
)
this_namespace_map = dictupdate.update(
this_namespace_map, policy_definition.nsmap
)
parent_list = _admx_policy_parent_walk(
path=parent_list,
policy_namespace=policy_namespace,
parent_category=parent_category,
policy_nsmap=this_namespace_map,
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
return parent_list
def _admx_policy_parent_walk(
path,
policy_namespace,
parent_category,
policy_nsmap,
return_full_policy_names,
adml_language,
):
"""
helper function to recursively walk up the ADMX namespaces and build the
hierarchy for the policy
"""
admx_policy_definitions = _get_policy_definitions(language=adml_language)
category_xpath_string = '/policyDefinitions/categories/{}:category[@name="{}"]'
using_xpath_string = "/policyDefinitions/policyNamespaces/{}:using"
if parent_category.find(":") >= 0:
# the parent is in another namespace
policy_namespace = parent_category.split(":")[0]
parent_category = parent_category.split(":")[1]
using_xpath_string = using_xpath_string.format(policy_namespace)
policy_nsmap = dictupdate.update(
policy_nsmap,
_buildElementNsmap(
admx_policy_definitions.xpath(
using_xpath_string, namespaces=policy_nsmap
)
),
)
category_xpath_string = category_xpath_string.format(
policy_namespace, parent_category
)
if admx_policy_definitions.xpath(category_xpath_string, namespaces=policy_nsmap):
tparent_category = admx_policy_definitions.xpath(
category_xpath_string, namespaces=policy_nsmap
)[0]
this_parent_name = _getFullPolicyName(
policy_item=tparent_category,
policy_name=tparent_category.attrib["name"],
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
path.append(this_parent_name)
if tparent_category.xpath(
f"{policy_namespace}:parentCategory/@ref", namespaces=policy_nsmap
):
# parent has a parent
path = _admx_policy_parent_walk(
path=path,
policy_namespace=policy_namespace,
parent_category=tparent_category.xpath(
f"{policy_namespace}:parentCategory/@ref",
namespaces=policy_nsmap,
)[0],
policy_nsmap=policy_nsmap,
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
return path
def _regexSearchKeyValueCombo(policy_data, policy_regpath, policy_regkey):
"""
helper function to do a search of Policy data from a registry.pol file
for a policy_regpath and policy_regkey combo
"""
if policy_data:
regex_str = [
r"(\*",
r"\*",
"D",
"e",
"l",
r"\.",
r"|\*",
r"\*",
"D",
"e",
"l",
"V",
"a",
"l",
"s",
r"\.",
"){0,1}",
]
specialValueRegex = "\x00".join(regex_str)
specialValueRegex = salt.utils.stringutils.to_bytes(specialValueRegex)
_thisSearch = b"".join(
[
salt.utils.stringutils.to_bytes(r"\["),
re.escape(policy_regpath),
b"\x00;\x00",
specialValueRegex,
re.escape(policy_regkey.lstrip(b"\x00")),
b"\x00;",
]
)
match = re.search(_thisSearch, policy_data, re.IGNORECASE)
if match:
# add 2 so we get the ']' and the \00
# to return the full policy entry
return policy_data[
match.start() : (policy_data.index(b"]", match.end())) + 2
]
return None
def _policyFileReplaceOrAppendList(string_list, policy_data):
"""
helper function to take a list of strings for registry.pol file data and
update existing strings or append the strings
"""
if not policy_data:
policy_data = b""
# we are going to clean off the special pre-fixes, so we get only the valuename
specialValueRegex = salt.utils.stringutils.to_bytes(
r"(\*\*Del\.|\*\*DelVals\.){0,1}"
)
for this_string in string_list:
list_item_key = this_string.split(b"\00;")[0].lstrip(b"[")
list_item_value_name = re.sub(
specialValueRegex, b"", this_string.split(b"\00;")[1], flags=re.IGNORECASE
)
log.trace("item value name is %s", list_item_value_name)
data_to_replace = _regexSearchKeyValueCombo(
policy_data, list_item_key, list_item_value_name
)
if data_to_replace:
log.trace("replacing %s with %s", data_to_replace, this_string)
policy_data = policy_data.replace(data_to_replace, this_string)
else:
log.trace("appending %s", this_string)
policy_data = b"".join([policy_data, this_string])
return policy_data
def _policyFileReplaceOrAppend(this_string, policy_data, append_only=False):
"""
helper function to take a ADMX policy string for registry.pol file data and
update existing string or append the string to the data
"""
# we are going to clean off the special pre-fixes, so we get only the valuename
if not policy_data:
policy_data = b""
specialValueRegex = salt.utils.stringutils.to_bytes(
r"(\*\*Del\.|\*\*DelVals\.){0,1}"
)
data_to_replace = None
if not append_only:
item_key = this_string.split(b"\00;")[0].lstrip(b"[")
item_value_name = re.sub(
specialValueRegex, b"", this_string.split(b"\00;")[1], flags=re.IGNORECASE
)
log.trace("item value name is %s", item_value_name)
data_to_replace = _regexSearchKeyValueCombo(
policy_data, item_key, item_value_name
)
if data_to_replace:
log.trace("replacing %s with %s", data_to_replace, this_string)
policy_data = policy_data.replace(data_to_replace, this_string)
else:
log.trace("appending %s", this_string)
policy_data = b"".join([policy_data, this_string])
return policy_data
def _writeAdminTemplateRegPolFile(
admtemplate_data, adml_language="en-US", registry_class="Machine"
):
r"""
helper function to prep/write adm template data to the Registry.pol file
each file begins with REGFILE_SIGNATURE (u'\u5250\u6765') and
REGISTRY_FILE_VERSION (u'\x01\00')
https://msdn.microsoft.com/en-us/library/aa374407(VS.85).aspx
+ https://msdn.microsoft.com/en-us/library/cc232696.aspx
[Registry Path<NULL>;Reg Value<NULL>;Reg Type;SizeInBytes;Data<NULL>]
"""
existing_data = b""
policySearchXpath = '//ns1:*[@id = "{0}" or @name = "{0}"]'
admx_policy_definitions = _get_policy_definitions(language=adml_language)
adml_policy_resources = _get_policy_resources(language=adml_language)
base_policy_settings = _checkAllAdmxPolicies(
policy_class=registry_class,
adml_language=adml_language,
return_full_policy_names=False,
hierarchical_return=False,
return_not_configured=False,
)
for adm_namespace in admtemplate_data:
for adm_policy in admtemplate_data[adm_namespace]:
if (
str(admtemplate_data[adm_namespace][adm_policy]).lower()
== "not configured"
):
if (
base_policy_settings.get(adm_namespace, {}).pop(adm_policy, None)
is not None
):
log.trace('Policy "%s" removed', adm_policy)
else:
log.trace("adding %s to base_policy_settings", adm_policy)
if adm_namespace not in base_policy_settings:
base_policy_settings[adm_namespace] = {}
base_policy_settings[adm_namespace][adm_policy] = admtemplate_data[
adm_namespace
][adm_policy]
for adm_namespace in base_policy_settings:
for admPolicy in base_policy_settings[adm_namespace]:
log.trace("working on admPolicy %s", admPolicy)
explicit_enable_disable_value_setting = False
this_key = None
this_valuename = None
if (
str(base_policy_settings[adm_namespace][admPolicy]).lower()
== "disabled"
):
log.trace("time to disable %s", admPolicy)
this_policy = admx_policy_definitions.xpath(
policySearchXpath.format(admPolicy),
namespaces={"ns1": adm_namespace},
)
if this_policy:
this_policy = this_policy[0]
if "class" in this_policy.attrib:
if (
this_policy.attrib["class"] == registry_class
or this_policy.attrib["class"] == "Both"
):
if "key" in this_policy.attrib:
this_key = this_policy.attrib["key"]
else:
log.error(
"policy item %s does not have "
'the required "key" attribute',
this_policy.attrib,
)
break
if "valueName" in this_policy.attrib:
this_valuename = this_policy.attrib["valueName"]
if DISABLED_VALUE_XPATH(this_policy):
# set the disabled value in the registry.pol file
explicit_enable_disable_value_setting = True
disabled_value_string = _checkValueItemParent(
this_policy,
admPolicy,
this_key,
this_valuename,
DISABLED_VALUE_XPATH,
None,
check_deleted=False,
test_item=False,
)
existing_data = _policyFileReplaceOrAppend(
disabled_value_string, existing_data
)
if DISABLED_LIST_XPATH(this_policy):
explicit_enable_disable_value_setting = True
disabled_list_strings = _checkListItem(
this_policy,
admPolicy,
this_key,
DISABLED_LIST_XPATH,
None,
test_items=False,
)
log.trace(
"working with disabledList portion of %s",
admPolicy,
)
existing_data = _policyFileReplaceOrAppendList(
disabled_list_strings, existing_data
)
if (
not explicit_enable_disable_value_setting
and this_valuename
):
disabled_value_string = _buildKnownDataSearchString(
this_key,
this_valuename,
"REG_DWORD",
None,
check_deleted=True,
)
existing_data = _policyFileReplaceOrAppend(
disabled_value_string, existing_data
)
if ELEMENTS_XPATH(this_policy):
log.trace("checking elements of %s", admPolicy)
for elements_item in ELEMENTS_XPATH(this_policy):
for child_item in elements_item:
child_key = this_key
child_valuename = this_valuename
if "key" in child_item.attrib:
child_key = child_item.attrib["key"]
if "valueName" in child_item.attrib:
child_valuename = child_item.attrib[
"valueName"
]
if etree.QName(
child_item
).localname == "boolean" and (
TRUE_LIST_XPATH(child_item)
or FALSE_LIST_XPATH(child_item)
):
# WARNING: no OOB adm files use true/falseList items
# this has not been fully vetted
temp_dict = {
"trueList": TRUE_LIST_XPATH,
"falseList": FALSE_LIST_XPATH,
}
for this_list in temp_dict:
disabled_list_strings = _checkListItem(
child_item,
admPolicy,
child_key,
temp_dict[this_list],
None,
test_items=False,
)
log.trace(
"working with %s portion of %s",
admPolicy,
this_list,
)
existing_data = (
_policyFileReplaceOrAppendList(
disabled_list_strings,
existing_data,
)
)
elif (
etree.QName(child_item).localname
== "boolean"
or etree.QName(child_item).localname
== "decimal"
or etree.QName(child_item).localname
== "text"
or etree.QName(child_item).localname
== "longDecimal"
or etree.QName(child_item).localname
== "multiText"
or etree.QName(child_item).localname
== "enum"
):
disabled_value_string = _processValueItem(
child_item,
child_key,
child_valuename,
this_policy,
elements_item,
check_deleted=True,
)
log.trace(
"I have disabled value string of %s",
disabled_value_string,
)
existing_data = _policyFileReplaceOrAppend(
disabled_value_string, existing_data
)
elif (
etree.QName(child_item).localname == "list"
):
disabled_value_string = _processValueItem(
child_item,
child_key,
child_valuename,
this_policy,
elements_item,
check_deleted=True,
)
log.trace(
"I have disabled value string of %s",
disabled_value_string,
)
existing_data = _policyFileReplaceOrAppend(
disabled_value_string, existing_data
)
else:
log.error(
"policy %s was found but it does not appear to be valid"
" for the class %s",
admPolicy,
registry_class,
)
else:
log.error(
'policy item %s does not have the required "class"'
" attribute",
this_policy.attrib,
)
else:
log.trace('time to enable and set the policy "%s"', admPolicy)
this_policy = admx_policy_definitions.xpath(
policySearchXpath.format(admPolicy),
namespaces={"ns1": adm_namespace},
)
log.trace("found this_policy == %s", this_policy)
if this_policy:
this_policy = this_policy[0]
if "class" in this_policy.attrib:
if (
this_policy.attrib["class"] == registry_class
or this_policy.attrib["class"] == "Both"
):
if "key" in this_policy.attrib:
this_key = this_policy.attrib["key"]
else:
log.error(
'policy item %s does not have the required "key"'
" attribute",
this_policy.attrib,
)
break
if "valueName" in this_policy.attrib:
this_valuename = this_policy.attrib["valueName"]
if ENABLED_VALUE_XPATH(this_policy):
explicit_enable_disable_value_setting = True
enabled_value_string = _checkValueItemParent(
this_policy,
admPolicy,
this_key,
this_valuename,
ENABLED_VALUE_XPATH,
None,
check_deleted=False,
test_item=False,
)
existing_data = _policyFileReplaceOrAppend(
enabled_value_string, existing_data
)
if ENABLED_LIST_XPATH(this_policy):
explicit_enable_disable_value_setting = True
enabled_list_strings = _checkListItem(
this_policy,
admPolicy,
this_key,
ENABLED_LIST_XPATH,
None,
test_items=False,
)
log.trace(
"working with enabledList portion of %s", admPolicy
)
existing_data = _policyFileReplaceOrAppendList(
enabled_list_strings, existing_data
)
if (
not explicit_enable_disable_value_setting
and this_valuename
):
enabled_value_string = _buildKnownDataSearchString(
this_key,
this_valuename,
"REG_DWORD",
"1",
check_deleted=False,
)
existing_data = _policyFileReplaceOrAppend(
enabled_value_string, existing_data
)
if ELEMENTS_XPATH(this_policy):
for elements_item in ELEMENTS_XPATH(this_policy):
for child_item in elements_item:
child_key = this_key
child_valuename = this_valuename
if "key" in child_item.attrib:
child_key = child_item.attrib["key"]
if "valueName" in child_item.attrib:
child_valuename = child_item.attrib[
"valueName"
]
if (
child_item.attrib["id"]
in base_policy_settings[adm_namespace][
admPolicy
]
):
if etree.QName(
child_item
).localname == "boolean" and (
TRUE_LIST_XPATH(child_item)
or FALSE_LIST_XPATH(child_item)
):
list_strings = []
if base_policy_settings[adm_namespace][
admPolicy
][child_item.attrib["id"]]:
list_strings = _checkListItem(
child_item,
admPolicy,
child_key,
TRUE_LIST_XPATH,
None,
test_items=False,
)
log.trace(
"working with trueList portion"
" of %s",
admPolicy,
)
else:
list_strings = _checkListItem(
child_item,
admPolicy,
child_key,
FALSE_LIST_XPATH,
None,
test_items=False,
)
existing_data = (
_policyFileReplaceOrAppendList(
list_strings, existing_data
)
)
elif etree.QName(
child_item
).localname == "boolean" and (
TRUE_VALUE_XPATH(child_item)
or FALSE_VALUE_XPATH(child_item)
):
value_string = ""
if base_policy_settings[adm_namespace][
admPolicy
][child_item.attrib["id"]]:
value_string = (
_checkValueItemParent(
child_item,
admPolicy,
child_key,
child_valuename,
TRUE_VALUE_XPATH,
None,
check_deleted=False,
test_item=False,
)
)
else:
value_string = (
_checkValueItemParent(
child_item,
admPolicy,
child_key,
child_valuename,
FALSE_VALUE_XPATH,
None,
check_deleted=False,
test_item=False,
)
)
existing_data = (
_policyFileReplaceOrAppend(
value_string, existing_data
)
)
elif (
etree.QName(child_item).localname
== "boolean"
or etree.QName(child_item).localname
== "decimal"
or etree.QName(child_item).localname
== "text"
or etree.QName(child_item).localname
== "longDecimal"
or etree.QName(child_item).localname
== "multiText"
):
enabled_value_string = _processValueItem(
child_item,
child_key,
child_valuename,
this_policy,
elements_item,
check_deleted=False,
this_element_value=base_policy_settings[
adm_namespace
][
admPolicy
][
child_item.attrib["id"]
],
)
log.trace(
"I have enabled value string of %s",
enabled_value_string,
)
existing_data = (
_policyFileReplaceOrAppend(
enabled_value_string,
existing_data,
)
)
elif (
etree.QName(child_item).localname
== "enum"
):
for enum_item in child_item:
if (
base_policy_settings[
adm_namespace
][admPolicy][
child_item.attrib["id"]
]
== _getAdmlDisplayName(
adml_policy_resources,
enum_item.attrib[
"displayName"
],
).strip()
):
enabled_value_string = (
_checkValueItemParent(
enum_item,
child_item.attrib["id"],
child_key,
child_valuename,
VALUE_XPATH,
None,
check_deleted=False,
test_item=False,
)
)
existing_data = (
_policyFileReplaceOrAppend(
enabled_value_string,
existing_data,
)
)
if VALUE_LIST_XPATH(enum_item):
enabled_list_strings = (
_checkListItem(
enum_item,
admPolicy,
child_key,
VALUE_LIST_XPATH,
None,
test_items=False,
)
)
log.trace(
"working with valueList"
" portion of %s",
child_item.attrib["id"],
)
existing_data = _policyFileReplaceOrAppendList(
enabled_list_strings,
existing_data,
)
break
elif (
etree.QName(child_item).localname
== "list"
):
enabled_value_string = _processValueItem(
child_item,
child_key,
child_valuename,
this_policy,
elements_item,
check_deleted=False,
this_element_value=base_policy_settings[
adm_namespace
][
admPolicy
][
child_item.attrib["id"]
],
)
log.trace(
"I have enabled value string of %s",
enabled_value_string,
)
existing_data = (
_policyFileReplaceOrAppend(
enabled_value_string,
existing_data,
append_only=True,
)
)
try:
write_reg_pol_data(
data_to_write=existing_data,
policy_file_path=CLASS_INFO[registry_class]["policy_path"],
gpt_extension=CLASS_INFO[registry_class]["gpt_extension_location"],
gpt_extension_guid=CLASS_INFO[registry_class]["gpt_extension_guid"],
)
# TODO: This needs to be more specific or removed
except CommandExecutionError as exc: # pylint: disable=broad-except
log.exception(
"Unhandled exception occurred while attempting to "
"write Adm Template Policy File.\nException: %s",
exc,
)
return False
return True
def _getScriptSettingsFromIniFile(policy_info):
"""
helper function to parse/read a GPO Startup/Shutdown script file
psscript.ini and script.ini file definitions are here
https://msdn.microsoft.com/en-us/library/ff842529.aspx
https://msdn.microsoft.com/en-us/library/dd303238.aspx
"""
_existingData = None
if os.path.isfile(policy_info["ScriptIni"]["IniPath"]):
with salt.utils.files.fopen(policy_info["ScriptIni"]["IniPath"], "rb") as fhr:
_existingData = fhr.read()
if _existingData:
try:
_existingData = deserialize(
_existingData.decode("utf-16-le").lstrip("\ufeff")
)
log.trace("Have deserialized data %s", _existingData)
except Exception as error: # pylint: disable=broad-except
log.exception(
"An error occurred attempting to deserialize data for %s",
policy_info["Policy"],
)
raise CommandExecutionError(error)
if "Section" in policy_info["ScriptIni"] and policy_info["ScriptIni"][
"Section"
].lower() in [z.lower() for z in _existingData.keys()]:
if "SettingName" in policy_info["ScriptIni"]:
log.trace(
"Need to look for %s", policy_info["ScriptIni"]["SettingName"]
)
if policy_info["ScriptIni"]["SettingName"].lower() in [
z.lower()
for z in _existingData[
policy_info["ScriptIni"]["Section"]
].keys()
]:
return _existingData[policy_info["ScriptIni"]["Section"]][
policy_info["ScriptIni"]["SettingName"].lower()
]
else:
return None
else:
return _existingData[policy_info["ScriptIni"]["Section"]]
else:
return None
return None
def _writeGpoScript(psscript=False):
"""
helper function to write local GPO startup/shutdown script
scripts are stored in scripts.ini and psscripts.ini files in
``WINDIR\\System32\\GroupPolicy\\Machine|User\\Scripts``
these files have the hidden attribute set
files have following format:
empty line
[Startup]
0CmdLine=<path to script 0>
0Parameters=<script 0 parameters>
[Shutdown]
0CmdLine=<path to shutdown script 0>
0Parameters=<shutdown script 0 parameters>
Number is incremented for each script added
psscript file also has the option of a [ScriptsConfig] section, which has
the following two parameters:
StartExecutePSFirst
EndExecutePSFirst
these can be set to True/False to denote if the powershell startup/shutdown
scripts execute first (True) or last (False), if the value isn't set, then
it is 'Not Configured' in the GUI
"""
_machineScriptPolicyPath = os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"scripts.ini",
)
_machinePowershellScriptPolicyPath = os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"Machine",
"Scripts",
"psscripts.ini",
)
_userScriptPolicyPath = os.path.join(
os.getenv("WINDIR"), "System32", "GroupPolicy", "User", "Scripts", "scripts.ini"
)
_userPowershellScriptPolicyPath = os.path.join(
os.getenv("WINDIR"),
"System32",
"GroupPolicy",
"User",
"Scripts",
"psscripts.ini",
)
def _lookup_admin_template(policy_name, policy_class, adml_language="en-US"):
"""
(success_flag, policy_xml_item, policy_name_list, message)
"""
policy_aliases = []
admx_policy_definitions = _get_policy_definitions(language=adml_language)
adml_policy_resources = _get_policy_resources(language=adml_language)
admx_search_results = ADMX_SEARCH_XPATH(
admx_policy_definitions, policy_name=policy_name, registry_class=policy_class
)
if admx_search_results:
if len(admx_search_results) == 1:
the_policy = admx_search_results[0]
policy_display_name = _getFullPolicyName(
policy_item=the_policy,
policy_name=the_policy.attrib["name"],
return_full_policy_names=True,
adml_language=adml_language,
)
policy_aliases.append(policy_display_name)
policy_aliases.append(the_policy.attrib["name"])
full_path_list = _build_parent_list(
policy_definition=the_policy,
return_full_policy_names=True,
adml_language=adml_language,
)
full_path_list.reverse()
full_path_list.append(policy_display_name)
policy_aliases.append("\\".join(full_path_list))
return True, the_policy, policy_aliases, None
else:
policy_aliases = []
for the_policy in admx_search_results:
policy_display_name = _getFullPolicyName(
policy_item=the_policy,
policy_name=the_policy.attrib["name"],
return_full_policy_names=True,
adml_language=adml_language,
)
full_path_list = _build_parent_list(
policy_definition=the_policy,
return_full_policy_names=True,
adml_language=adml_language,
)
full_path_list.append(policy_display_name)
policy_aliases.append("\\".join(full_path_list))
policies = "\n - ".join(policy_aliases)
msg = (
'ADMX policy name/id "{}" is used in multiple ADMX files.\n'
"Try one of the following names:\n"
" - {}".format(policy_name, policies)
)
return False, None, [], msg
else:
adml_search_results = ADML_SEARCH_XPATH(
adml_policy_resources, policy_name=policy_name
)
hierarchy = []
hierarchy_policy_name = policy_name
if not adml_search_results:
log.warning("Trying another: %s", policy_name)
if "\\" in policy_name:
hierarchy = policy_name.split("\\")
policy_name = hierarchy.pop()
adml_search_results = ADML_SEARCH_XPATH(
adml_policy_resources, policy_name=policy_name
)
if adml_search_results:
multiple_adml_entries = False
suggested_policies = ""
adml_to_remove = []
if len(adml_search_results) > 1:
log.trace(
"multiple ADML entries found matching the policy name %s",
policy_name,
)
multiple_adml_entries = True
for adml_search_result in adml_search_results:
if (
not getattr(adml_search_result, "text", "").strip()
== policy_name
):
adml_to_remove.append(adml_search_result)
else:
if hierarchy:
log.trace("we have hierarchy of %s", hierarchy)
display_name_searchval = "$({}.{})".format(
adml_search_result.tag.split("}")[1],
adml_search_result.attrib["id"],
)
policy_search_string = (
'//{}:policy[@displayName = "{}" and (@class = "Both"'
' or @class = "{}") ]'.format(
adml_search_result.prefix,
display_name_searchval,
policy_class,
)
)
admx_results = []
these_admx_search_results = admx_policy_definitions.xpath(
policy_search_string,
namespaces=adml_search_result.nsmap,
)
if not these_admx_search_results:
log.trace(
"No admx was found for the adml entry %s, it will"
" be removed",
display_name_searchval,
)
adml_to_remove.append(adml_search_result)
for search_result in these_admx_search_results:
log.trace("policy_name == %s", policy_name)
this_hierarchy = _build_parent_list(
policy_definition=search_result,
return_full_policy_names=True,
adml_language=adml_language,
)
this_hierarchy.reverse()
if hierarchy != this_hierarchy:
log.trace(
"hierarchy %s does not match this item's"
" hierarchy of %s",
hierarchy,
this_hierarchy,
)
if len(these_admx_search_results) == 1:
log.trace(
"only 1 admx was found and it does not "
"match this adml, it is safe to remove "
"from the list"
)
adml_to_remove.append(adml_search_result)
else:
log.trace(
"hierarchy %s matches item's hierarchy of %s",
hierarchy,
this_hierarchy,
)
log.trace(
"search_result %s added to results",
search_result,
)
admx_results.append(search_result)
if len(admx_results) == 1:
admx_search_results.append(admx_results[0])
else:
# verify the ADMX correlated to this ADML is in the same class
# that we are looking for
display_name_searchval = "$({}.{})".format(
adml_search_result.tag.split("}")[1],
adml_search_result.attrib["id"],
)
these_admx_search_results = ADMX_DISPLAYNAME_SEARCH_XPATH(
admx_policy_definitions,
display_name=display_name_searchval,
registry_class=policy_class,
)
if not these_admx_search_results:
adml_to_remove.append(adml_search_result)
for adml in adml_to_remove:
if adml in adml_search_results:
adml_search_results.remove(adml)
if len(adml_search_results) == 1 and multiple_adml_entries:
multiple_adml_entries = False
for adml_search_result in adml_search_results:
log.trace(
"found an ADML entry matching the string! %s -- %s",
adml_search_result.tag,
adml_search_result.attrib,
)
display_name_searchval = "$({}.{})".format(
adml_search_result.tag.split("}")[1],
adml_search_result.attrib["id"],
)
log.trace("searching for displayName == %s", display_name_searchval)
if not admx_search_results:
log.trace(
"search for an admx entry matching display_name %s and"
" registry_class %s",
display_name_searchval,
policy_class,
)
admx_search_results = ADMX_DISPLAYNAME_SEARCH_XPATH(
admx_policy_definitions,
display_name=display_name_searchval,
registry_class=policy_class,
)
if admx_search_results:
log.trace(
"processing admx_search_results of %s", admx_search_results
)
log.trace("multiple_adml_entries is %s", multiple_adml_entries)
if (
len(admx_search_results) == 1 or hierarchy
) and not multiple_adml_entries:
found = False
for search_result in admx_search_results:
found = False
if hierarchy:
this_hierarchy = _build_parent_list(
policy_definition=search_result,
return_full_policy_names=True,
adml_language=adml_language,
)
this_hierarchy.reverse()
log.trace("testing %s == %s", hierarchy, this_hierarchy)
if hierarchy == this_hierarchy:
found = True
else:
found = True
if found:
log.trace(
"found the ADMX policy matching "
"the display name %s -- %s",
search_result,
policy_name,
)
if "name" in search_result.attrib:
policy_display_name = _getFullPolicyName(
policy_item=search_result,
policy_name=search_result.attrib["name"],
return_full_policy_names=True,
adml_language=adml_language,
)
policy_aliases.append(policy_display_name)
policy_aliases.append(search_result.attrib["name"])
full_path_list = _build_parent_list(
policy_definition=search_result,
return_full_policy_names=True,
adml_language=adml_language,
)
full_path_list.reverse()
full_path_list.append(policy_display_name)
policy_aliases.append("\\".join(full_path_list))
return True, search_result, policy_aliases, None
else:
msg = (
"ADMX policy with the display name {} does not"
"have the required name attribute"
)
msg = msg.format(policy_name)
return False, None, [], msg
if not found:
msg = "Unable to correlate {} to any policy".format(
hierarchy_policy_name
)
return False, None, [], msg
else:
for possible_policy in admx_search_results:
this_parent_list = _build_parent_list(
policy_definition=possible_policy,
return_full_policy_names=True,
adml_language=adml_language,
)
this_parent_list.reverse()
this_parent_list.append(policy_name)
if suggested_policies:
suggested_policies = ", ".join(
[suggested_policies, "\\".join(this_parent_list)]
)
else:
suggested_policies = "\\".join(this_parent_list)
if suggested_policies:
msg = (
'ADML policy name "{}" is used as the display name for '
"multiple policies. These policies matched: {}. You can "
"utilize these long names to specify the correct policy"
)
return False, None, [], msg.format(policy_name, suggested_policies)
return (
False,
None,
[],
f"Unable to find {policy_class} policy {policy_name}",
)
def get_policy_info(policy_name, policy_class, adml_language="en-US"):
r"""
Returns information about a specified policy
Args:
policy_name (str):
The name of the policy to lookup
policy_class (str):
The class of policy, i.e. machine, user, both
adml_language (str):
The ADML language to use for Administrative Template data lookup
Returns:
dict: Information about the specified policy
CLI Example:
.. code-block:: bash
salt '*' lgpo.get_policy_info 'Maximum password age' machine
You can use ``lgpo.get_policy_info`` to get all the possible names that
could be used in a state file or from the command line (along with elements
that need to be set/etc). The key is to match the text you see in the
``gpedit.msc`` gui exactly, including quotes around words or phrases. The
"full path" style is really only needed when there are multiple policies
that use the same base name. For example, ``Access data sources across
domains`` exists in ~10 different paths. If you put that through
``get_policy_info`` you'll get back a message that it is used for multiple
policies and you need to be more specific.
CLI Example:
.. code-block:: bash
salt-call --local lgpo.get_policy_info ShellRemoveOrderPrints_2 machine
local:
----------
message:
policy_aliases:
- Turn off the "Order Prints" picture task
- ShellRemoveOrderPrints_2
- System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task
policy_class:
machine
policy_elements:
policy_found:
True
policy_name:
ShellRemoveOrderPrints_2
rights_assignment:
False
Escaping can get tricky in cmd/Powershell. The following is an example of
escaping in Powershell using backquotes:
.. code-block:: bash
PS>salt-call --local lgpo.get_policy_info "Turn off the `\`"Order Prints`\`" picture task" machine
local:
----------
message:
policy_aliases:
- Turn off the "Order Prints" picture task
- ShellRemoveOrderPrints_2
- System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task
policy_class:
machine
policy_elements:
policy_found:
True
policy_name:
Turn off the "Order Prints" picture task
rights_assignment:
False
This function can then be used to get the options available for specifying
Group Policy Objects to be used in state files. Based on the above any of
these *should* be usable:
.. code-block:: bash
internet_communications_settings:
lgpo.set:
- computer_policy:
Turn off the "Order Prints" picture task: Enabled
.. code-block:: bash
internet_communications_settings:
lgpo.set:
- computer_policy:
ShellRemoveOrderPrints_2: Enabled
When using the full path, it might be a good idea to use single quotes
around the path:
.. code-block:: bash
internet_communications_settings:
lgpo.set:
- computer_policy:
'System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task': 'Enabled'
If you struggle to find the policy from ``get_policy_info`` using the name
as you see in ``gpedit.msc``, the names such as "ShellRemoveOrderPrints_2"
come from the ``.admx`` files. If you know nothing about ``.admx/.adml``
relationships (ADML holds what you see in the GUI, ADMX holds the more
technical details), then this may be a little bit too much info, but here is
an example with the above policy using Powershell:
.. code-block:: bash
PS>Get-ChildItem -Path C:\Windows\PolicyDefinitions -Recurse -Filter *.adml | Select-String "Order Prints"
C:\windows\PolicyDefinitions\en-US\ICM.adml:152: <string id="ShellRemoveOrderPrints">Turn off the "Order Prints" picture task</string>
C:\windows\PolicyDefinitions\en-US\ICM.adml:153: <string id="ShellRemoveOrderPrints_Help">This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
C:\windows\PolicyDefinitions\en-US\ICM.adml:155:The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.
C:\windows\PolicyDefinitions\en-US\ICM.adml:157:If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.
From this grep, we can see id "ShellRemoveOrderPrints" is the ID of the
string used to describe this policy, then we search for it in the ADMX:
.. code-block:: bash
PS>Get-ChildItem -Path C:\Windows\PolicyDefinitions -Recurse -Filter *.admx | Select-String "ShellRemoveOrderPrints"
C:\windows\PolicyDefinitions\ICM.admx:661: <policy name="ShellRemoveOrderPrints_1" class="User" displayName="$(string.ShellRemoveOrderPrints)" explainText="$(string.ShellRemoveOrderPrints_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" valueName="NoOnlinePrintsWizard">
C:\windows\PolicyDefinitions\ICM.admx:671: <policy name="ShellRemoveOrderPrints_2" class="Machine" displayName="$(string.ShellRemoveOrderPrints)" explainText="$(string.ShellRemoveOrderPrints_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" valueName="NoOnlinePrintsWizard">
Now we have two to pick from. And if you notice the ``class="Machine"`` and
``class="User"`` (which details if it is a computer policy or user policy
respectively) the ``ShellRemoveOrderPrints_2`` is the "short name" we could
use to pass through ``get_policy_info`` to see what the module itself is
expecting.
"""
# return the possible policy names and element names
ret = {
"policy_name": policy_name,
"policy_class": policy_class,
"policy_aliases": [],
"policy_found": False,
"rights_assignment": False,
"policy_elements": [],
"message": "policy not found",
}
policy_class = policy_class.title()
policy_data = _policy_info()
if policy_class not in policy_data.policies:
policy_classes = ", ".join(policy_data.policies)
ret["message"] = (
'The requested policy class "{}" is invalid, '
"policy_class should be one of: {}"
"".format(policy_class, policy_classes)
)
return ret
if policy_name in policy_data.policies[policy_class]["policies"]:
ret["policy_aliases"].append(
policy_data.policies[policy_class]["policies"][policy_name]["Policy"]
)
ret["policy_found"] = True
ret["message"] = ""
if "LsaRights" in policy_data.policies[policy_class]["policies"][policy_name]:
ret["rights_assignment"] = True
return ret
else:
# Case-sensitive search first
for pol in policy_data.policies[policy_class]["policies"]:
_p = policy_data.policies[policy_class]["policies"][pol]["Policy"]
if _p == policy_name:
ret["policy_aliases"].append(pol)
ret["policy_found"] = True
ret["message"] = ""
if "LsaRights" in policy_data.policies[policy_class]["policies"][pol]:
ret["rights_assignment"] = True
return ret
# Still not found, case-insensitive search
for pol in policy_data.policies[policy_class]["policies"]:
_p = policy_data.policies[policy_class]["policies"][pol]["Policy"]
if _p.lower() == policy_name.lower():
ret["policy_aliases"].append(pol)
ret["policy_found"] = True
ret["message"] = ""
if "LsaRights" in policy_data.policies[policy_class]["policies"][pol]:
ret["rights_assignment"] = True
return ret
success, policy_xml_item, policy_name_list, message = _lookup_admin_template(
policy_name=policy_name, policy_class=policy_class, adml_language=adml_language
)
if success:
for elements_item in ELEMENTS_XPATH(policy_xml_item):
for child_item in elements_item:
this_element_name = _getFullPolicyName(
policy_item=child_item,
policy_name=child_item.attrib["id"],
return_full_policy_names=True,
adml_language=adml_language,
)
ret["policy_elements"].append(
{
"element_id": child_item.attrib["id"],
"element_aliases": [child_item.attrib["id"], this_element_name],
}
)
ret["policy_aliases"] = policy_name_list
ret["policy_found"] = True
ret["message"] = ""
return ret
else:
ret["message"] = message
return ret
def get(
policy_class=None,
return_full_policy_names=True,
hierarchical_return=False,
adml_language="en-US",
return_not_configured=False,
):
"""
Get a policy value
Args:
policy_class (str):
Some policies are both user and computer, by default all policies
will be pulled, but this can be used to retrieve only a specific
policy class User/USER/user = retrieve user policies
Machine/MACHINE/machine/Computer/COMPUTER/computer = retrieve
machine/computer policies
return_full_policy_names (bool):
True/False to return the policy name as it is seen in the
``gpedit.msc`` GUI or to only return the policy key/id.
hierarchical_return (bool):
True/False to return the policy data in the hierarchy as seen in the
``gpedit.msc`` GUI. The default of False will return data split only
into User/Computer configuration sections
adml_language (str):
The ADML language to use for processing display/descriptive names
and enumeration values of ADMX template data, defaults to en-US
return_not_configured (bool):
Include Administrative Template policies that are 'Not Configured'
in the return data
Returns:
dict: A dictionary containing the policy values for the specified class
CLI Example:
.. code-block:: bash
salt '*' lgpo.get machine return_full_policy_names=True
"""
vals = {}
_policydata = _policy_info()
if policy_class is None or policy_class.lower() == "both":
policy_class = _policydata.policies.keys()
elif policy_class.lower() not in [z.lower() for z in _policydata.policies]:
msg = (
"The policy_class {} is not an available policy class, please "
"use one of the following: {}, Both"
)
raise SaltInvocationError(
msg.format(policy_class, ", ".join(_policydata.policies.keys()))
)
else:
policy_class = [policy_class.title()]
# handle policies statically defined in this module
for p_class in policy_class:
this_class_policy_names = _policydata.policies[p_class]["policies"]
class_vals = {}
for policy_name in this_class_policy_names:
_pol = None
if policy_name in _policydata.policies[p_class]["policies"]:
_pol = _policydata.policies[p_class]["policies"][policy_name]
else:
# Case-sensitive search first
for policy in _policydata.policies[p_class]["policies"]:
_p = _policydata.policies[p_class]["policies"][policy]["Policy"]
if _p == policy_name:
_pol = _policydata.policies[p_class]["policies"][policy]
policy_name = policy
# Still not found, case-insensitive search
if _pol is None:
for policy in _policydata.policies[p_class]["policies"]:
_p = _policydata.policies[p_class]["policies"][policy]["Policy"]
# Case-sensitive search first
if _p.lower() == policy_name.lower():
_pol = _policydata.policies[p_class]["policies"][policy]
policy_name = policy
if _pol:
vals_key_name = policy_name
class_vals[policy_name] = _get_policy_info_setting(_pol)
if return_full_policy_names:
class_vals[_pol["Policy"]] = class_vals.pop(policy_name)
vals_key_name = _pol["Policy"]
if hierarchical_return:
if "lgpo_section" in _pol:
firstItem = True
tdict = {}
for level in reversed(_pol["lgpo_section"]):
newdict = {}
if firstItem:
newdict[level] = {
vals_key_name: class_vals.pop(vals_key_name)
}
firstItem = False
else:
newdict[level] = tdict
tdict = newdict
if tdict:
class_vals = dictupdate.update(class_vals, tdict)
else:
raise CommandExecutionError(
"The specified policy {} is not currently available "
"to be configured via this module".format(policy_name)
)
class_vals = dictupdate.update(
class_vals,
_checkAllAdmxPolicies(
policy_class=p_class,
adml_language=adml_language,
return_full_policy_names=return_full_policy_names,
hierarchical_return=hierarchical_return,
return_not_configured=return_not_configured,
),
)
if _policydata.policies[p_class]["lgpo_section"] not in class_vals:
temp_dict = {_policydata.policies[p_class]["lgpo_section"]: class_vals}
class_vals = temp_dict
vals = dictupdate.update(vals, class_vals)
return vals
def _get_policy_info_setting(policy_definition):
"""
Some policies are defined in this module and others by the ADMX/ADML files
on the machine. This function loads the current values for policies defined
in this module.
Args:
policy_definition (dict):
A sub-dict of Policies property of the _policy_info() class.
Basically a dictionary that defines the policy
Returns:
The transformed value. The transform is defined in the policy
definition. It can be a list, a string, a dictionary, depending on how
it's defined
Usage:
policy_data = _policy_info()
policy_name = 'RemoteRegistryExactPaths'
policy_definition = policy_data.policies['Machine']['policies'][policy_name]
policy_value = _get_policy_info_setting(policy_definition)
"""
if "Registry" in policy_definition:
# Get value using the Registry mechanism
value = __utils__["reg.read_value"](
policy_definition["Registry"]["Hive"],
policy_definition["Registry"]["Path"],
policy_definition["Registry"]["Value"],
)["vdata"]
log.trace(
"Value %r found for Regisry policy %s", value, policy_definition["Policy"]
)
elif "Secedit" in policy_definition:
# Get value using the Secedit mechanism
value = _get_secedit_value(option=policy_definition["Secedit"]["Option"])
log.trace(
"Value %r found for Secedit policy %s", value, policy_definition["Policy"]
)
elif "NetSH" in policy_definition:
# Get value using the NetSH mechanism
value = _get_netsh_value(
profile=policy_definition["NetSH"]["Profile"],
option=policy_definition["NetSH"]["Option"],
)
log.trace(
"Value %r found for NetSH policy %s", value, policy_definition["Policy"]
)
elif "AdvAudit" in policy_definition:
# Get value using the AuditPol mechanism
value = _get_advaudit_value(option=policy_definition["AdvAudit"]["Option"])
log.trace(
"Value %r found for AuditPol policy %s", value, policy_definition["Policy"]
)
elif "NetUserModal" in policy_definition:
# Get value using the NetUserModal mechanism
modal_return = win32net.NetUserModalsGet(
None, policy_definition["NetUserModal"]["Modal"]
)
value = modal_return[policy_definition["NetUserModal"]["Option"]]
log.trace(
"Value %r found for NetUserModal policy %s",
value,
policy_definition["Policy"],
)
elif "LsaRights" in policy_definition:
# Get value using the LSARights mechanism
value = _getRightsAssignments(policy_definition["LsaRights"]["Option"])
log.trace(
"Value %r found for LSARights policy %s", value, policy_definition["Policy"]
)
elif "ScriptIni" in policy_definition:
value = _getScriptSettingsFromIniFile(policy_definition)
log.trace(
"Value %r found for ScriptIni policy %s", value, policy_definition["Policy"]
)
else:
raise CommandExecutionError(
"Unknown or missing mechanism in policy_definition\n{}".format(
policy_definition
)
)
value = _transform_value(
value=value, policy=policy_definition, transform_type="Get"
)
return value
def _get_policy_adm_setting(
admx_policy,
policy_class,
adml_language="en-US",
return_full_policy_names=False,
hierarchical_return=False,
):
"""
Get the current setting for polices set via the policy templates (ADMX/ADML)
files
Args:
admx_policy (obj):
The XPath object as returned by the ``_lookup_admin_template``
function
policy_class (str):
The policy class. Must be one of ``machine`` or ``user``
adml_language (str):
The language code for the adml file to use for localization. The
default is ``en-US``
return_full_policy_names (bool):
Returns the full policy name regardless of what was passed in
``policy_name``
hierarchical_return (bool):
Returns a hierarchical view of the policy showing its parents
Returns:
dict: A dictionary containing the policy settings
Usage:
policy_name = 'AutoUpdateCfg'
policy_class = 'machine'
adml_language = 'en-US'
success, policy_obj, _, _ = _lookup_admin_template(
policy_name=policy_name,
policy_class=policy_class,
adml_language=adml_language)
if success:
setting = _get_policy_adm_setting(
admx_policy=policy_obj,
policy_class=policy_class,
adml_language=adml_language,
return_full_policy_names=return_full_policy_names,
hierarchical_return=hierarchical_return
)
"""
# TODO: Need to figure out how to get the lgpo.get function to use this code
# TODO: as it is very similar
# Validate policy Key and Name attributes
this_key = admx_policy.attrib.get("key", None)
this_policy_name = admx_policy.attrib.get("name", None)
if this_key is None or this_policy_name is None:
raise CommandExecutionError(
'Policy is missing the required "key" or "name" attribute:\n{}'.format(
admx_policy.attrib
)
)
# Get additional settings
this_value_name = admx_policy.attrib.get("valueName", None)
this_policy_setting = "Not Configured"
this_policy_namespace = admx_policy.nsmap[admx_policy.prefix]
# Set some default values, these will get flipped below
element_only_enabled_disabled = True
explicit_enable_disable_value_setting = False
# Load additional data
policy_file_data = read_reg_pol_file(CLASS_INFO[policy_class]["policy_path"])
adml_policy_resources = _get_policy_resources(language=adml_language)
policy_vals = {}
if ENABLED_VALUE_XPATH(admx_policy) and this_policy_setting == "Not Configured":
# some policies have a disabled list but not an enabled list
# added this to address those issues
if DISABLED_LIST_XPATH(admx_policy) or DISABLED_VALUE_XPATH(admx_policy):
element_only_enabled_disabled = False
explicit_enable_disable_value_setting = True
if _checkValueItemParent(
policy_element=admx_policy,
policy_name=this_policy_name,
policy_key=this_key,
policy_valueName=this_value_name,
xpath_object=ENABLED_VALUE_XPATH,
policy_file_data=policy_file_data,
):
log.trace(
"%s is enabled by detected ENABLED_VALUE_XPATH", this_policy_name
)
this_policy_setting = "Enabled"
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = this_policy_setting
if DISABLED_VALUE_XPATH(admx_policy) and this_policy_setting == "Not Configured":
# some policies have a disabled list but not an enabled list
# added this to address those issues
if ENABLED_LIST_XPATH(admx_policy) or ENABLED_VALUE_XPATH(admx_policy):
element_only_enabled_disabled = False
explicit_enable_disable_value_setting = True
if _checkValueItemParent(
policy_element=admx_policy,
policy_name=this_policy_name,
policy_key=this_key,
policy_valueName=this_value_name,
xpath_object=DISABLED_VALUE_XPATH,
policy_file_data=policy_file_data,
):
log.trace(
"%s is disabled by detected DISABLED_VALUE_XPATH", this_policy_name
)
this_policy_setting = "Disabled"
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = this_policy_setting
if ENABLED_LIST_XPATH(admx_policy):
if DISABLED_LIST_XPATH(admx_policy) or DISABLED_VALUE_XPATH(admx_policy):
element_only_enabled_disabled = False
explicit_enable_disable_value_setting = True
if _checkListItem(
policy_element=admx_policy,
policy_name=this_policy_name,
policy_key=this_key,
xpath_object=ENABLED_LIST_XPATH,
policy_file_data=policy_file_data,
):
log.trace(
"%s is enabled by detected ENABLED_LIST_XPATH", this_policy_name
)
this_policy_setting = "Enabled"
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = this_policy_setting
if DISABLED_LIST_XPATH(admx_policy):
if ENABLED_LIST_XPATH(admx_policy) or ENABLED_VALUE_XPATH(admx_policy):
element_only_enabled_disabled = False
explicit_enable_disable_value_setting = True
if _checkListItem(
policy_element=admx_policy,
policy_name=this_policy_name,
policy_key=this_key,
xpath_object=DISABLED_LIST_XPATH,
policy_file_data=policy_file_data,
):
log.trace(
"%s is disabled by detected DISABLED_LIST_XPATH", this_policy_name
)
this_policy_setting = "Disabled"
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = this_policy_setting
if not explicit_enable_disable_value_setting and this_value_name:
# the policy has a key/valuename but no explicit Enabled/Disabled
# Value or List
# these seem to default to a REG_DWORD 1 = "Enabled" **del. = "Disabled"
if search_reg_pol(
re.escape(
_buildKnownDataSearchString(
reg_key=this_key,
reg_valueName=this_value_name,
reg_vtype="REG_DWORD",
reg_data="1",
)
),
policy_file_data,
):
log.trace(
"%s is enabled by no explicit enable/disable list or value",
this_policy_name,
)
this_policy_setting = "Enabled"
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = this_policy_setting
elif search_reg_pol(
re.escape(
_buildKnownDataSearchString(
reg_key=this_key,
reg_valueName=this_value_name,
reg_vtype="REG_DWORD",
reg_data=None,
check_deleted=True,
)
),
policy_file_data,
):
log.trace(
"%s is disabled by no explicit enable/disable list or value",
this_policy_name,
)
this_policy_setting = "Disabled"
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = this_policy_setting
full_names = {}
hierarchy = {}
if ELEMENTS_XPATH(admx_policy):
if element_only_enabled_disabled or this_policy_setting == "Enabled":
# TODO does this need to be modified based on the 'required' attribute?
required_elements = {}
configured_elements = {}
policy_disabled_elements = 0
for elements_item in ELEMENTS_XPATH(admx_policy):
for child_item in elements_item:
this_element_name = _getFullPolicyName(
policy_item=child_item,
policy_name=child_item.attrib["id"],
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
required_elements[this_element_name] = None
child_key = child_item.attrib.get("key", this_key)
child_value_name = child_item.attrib.get(
"valueName", this_value_name
)
if etree.QName(child_item).localname == "boolean":
# https://msdn.microsoft.com/en-us/library/dn605978(v=vs.85).aspx
if len(child_item) > 0:
if (
TRUE_VALUE_XPATH(child_item)
and this_element_name not in configured_elements
):
if _checkValueItemParent(
policy_element=child_item,
policy_name=this_policy_name,
policy_key=child_key,
policy_valueName=child_value_name,
xpath_object=TRUE_VALUE_XPATH,
policy_file_data=policy_file_data,
):
configured_elements[this_element_name] = True
log.trace(
"element %s is configured true",
child_item.attrib["id"],
)
if (
FALSE_VALUE_XPATH(child_item)
and this_element_name not in configured_elements
):
if _checkValueItemParent(
policy_element=child_item,
policy_name=this_policy_name,
policy_key=child_key,
policy_valueName=child_value_name,
xpath_object=FALSE_VALUE_XPATH,
policy_file_data=policy_file_data,
):
configured_elements[this_element_name] = False
policy_disabled_elements = (
policy_disabled_elements + 1
)
log.trace(
"element %s is configured false",
child_item.attrib["id"],
)
# WARNING - no standard ADMX files use true/falseList
# so this hasn't actually been tested
if (
TRUE_LIST_XPATH(child_item)
and this_element_name not in configured_elements
):
log.trace("checking trueList")
if _checkListItem(
policy_element=child_item,
policy_name=this_policy_name,
policy_key=this_key,
xpath_object=TRUE_LIST_XPATH,
policy_file_data=policy_file_data,
):
configured_elements[this_element_name] = True
log.trace(
"element %s is configured true",
child_item.attrib["id"],
)
if (
FALSE_LIST_XPATH(child_item)
and this_element_name not in configured_elements
):
log.trace("checking falseList")
if _checkListItem(
policy_element=child_item,
policy_name=this_policy_name,
policy_key=this_key,
xpath_object=FALSE_LIST_XPATH,
policy_file_data=policy_file_data,
):
configured_elements[this_element_name] = False
policy_disabled_elements = (
policy_disabled_elements + 1
)
log.trace(
"element %s is configured false",
child_item.attrib["id"],
)
else:
if search_reg_pol(
re.escape(
_processValueItem(
element=child_item,
reg_key=child_key,
reg_valuename=child_value_name,
policy=admx_policy,
parent_element=elements_item,
check_deleted=True,
)
),
policy_file_data,
):
configured_elements[this_element_name] = False
policy_disabled_elements = policy_disabled_elements + 1
log.trace(
"element %s is configured false",
child_item.attrib["id"],
)
elif search_reg_pol(
re.escape(
_processValueItem(
element=child_item,
reg_key=child_key,
reg_valuename=child_value_name,
policy=admx_policy,
parent_element=elements_item,
check_deleted=False,
)
),
policy_file_data,
):
configured_elements[this_element_name] = True
log.trace(
"element %s is configured true",
child_item.attrib["id"],
)
elif etree.QName(child_item).localname in [
"decimal",
"text",
"longDecimal",
"multiText",
]:
# https://msdn.microsoft.com/en-us/library/dn605987(v=vs.85).aspx
if search_reg_pol(
re.escape(
_processValueItem(
element=child_item,
reg_key=child_key,
reg_valuename=child_value_name,
policy=admx_policy,
parent_element=elements_item,
check_deleted=True,
)
),
policy_file_data,
):
configured_elements[this_element_name] = "Disabled"
policy_disabled_elements = policy_disabled_elements + 1
log.trace("element %s is disabled", child_item.attrib["id"])
elif search_reg_pol(
re.escape(
_processValueItem(
element=child_item,
reg_key=child_key,
reg_valuename=child_value_name,
policy=admx_policy,
parent_element=elements_item,
check_deleted=False,
)
),
policy_data=policy_file_data,
):
configured_value = _getDataFromRegPolData(
_processValueItem(
element=child_item,
reg_key=child_key,
reg_valuename=child_value_name,
policy=admx_policy,
parent_element=elements_item,
check_deleted=False,
),
policy_data=policy_file_data,
)
configured_elements[this_element_name] = configured_value
log.trace(
"element %s is enabled, value == %s",
child_item.attrib["id"],
configured_value,
)
elif etree.QName(child_item).localname == "enum":
if search_reg_pol(
re.escape(
_processValueItem(
element=child_item,
reg_key=child_key,
reg_valuename=child_value_name,
policy=admx_policy,
parent_element=elements_item,
check_deleted=True,
)
),
policy_file_data,
):
log.trace(
"enum element %s is disabled", child_item.attrib["id"]
)
configured_elements[this_element_name] = "Disabled"
policy_disabled_elements = policy_disabled_elements + 1
else:
for enum_item in child_item:
if _checkValueItemParent(
policy_element=enum_item,
policy_name=child_item.attrib["id"],
policy_key=child_key,
policy_valueName=child_value_name,
xpath_object=VALUE_XPATH,
policy_file_data=policy_file_data,
):
if VALUE_LIST_XPATH(enum_item):
log.trace("enum item has a valueList")
if _checkListItem(
policy_element=enum_item,
policy_name=this_policy_name,
policy_key=child_key,
xpath_object=VALUE_LIST_XPATH,
policy_file_data=policy_file_data,
):
log.trace(
"all valueList items exist in file"
)
configured_elements[this_element_name] = (
_getAdmlDisplayName(
adml_xml_data=adml_policy_resources,
display_name=enum_item.attrib[
"displayName"
],
)
)
break
else:
configured_elements[this_element_name] = (
_getAdmlDisplayName(
adml_xml_data=adml_policy_resources,
display_name=enum_item.attrib[
"displayName"
],
)
)
break
elif etree.QName(child_item).localname == "list":
return_value_name = False
if (
"explicitValue" in child_item.attrib
and child_item.attrib["explicitValue"].lower() == "true"
):
log.trace("explicitValue list, we will return value names")
return_value_name = True
regex_str = [
r"(?!\*",
r"\*",
"D",
"e",
"l",
"V",
"a",
"l",
"s",
r"\.",
")",
]
delvals_regex = "\x00".join(regex_str)
delvals_regex = salt.utils.stringutils.to_bytes(delvals_regex)
if search_reg_pol(
re.escape(
_processValueItem(
element=child_item,
reg_key=child_key,
reg_valuename=child_value_name,
policy=admx_policy,
parent_element=elements_item,
check_deleted=False,
)
)
+ delvals_regex,
policy_data=policy_file_data,
):
configured_value = _getDataFromRegPolData(
_processValueItem(
element=child_item,
reg_key=child_key,
reg_valuename=child_value_name,
policy=admx_policy,
parent_element=elements_item,
check_deleted=False,
),
policy_data=policy_file_data,
return_value_name=return_value_name,
)
configured_elements[this_element_name] = configured_value
log.trace(
"element %s is enabled values: %s",
child_item.attrib["id"],
configured_value,
)
elif search_reg_pol(
re.escape(
_processValueItem(
element=child_item,
reg_key=child_key,
reg_valuename=child_value_name,
policy=admx_policy,
parent_element=elements_item,
check_deleted=True,
)
),
policy_file_data,
):
configured_elements[this_element_name] = "Disabled"
policy_disabled_elements = policy_disabled_elements + 1
log.trace("element %s is disabled", child_item.attrib["id"])
if element_only_enabled_disabled:
if 0 < len(required_elements.keys()) == len(configured_elements.keys()):
if policy_disabled_elements == len(required_elements.keys()):
log.trace(
"%s is disabled by all enum elements", this_policy_name
)
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = "Disabled"
else:
log.trace("%s is enabled by enum elements", this_policy_name)
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = configured_elements
else:
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = this_policy_setting
else:
if this_policy_setting == "Enabled":
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = configured_elements
else:
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = this_policy_setting
else:
policy_vals.setdefault(this_policy_namespace, {})[
this_policy_name
] = this_policy_setting
if (
return_full_policy_names
and this_policy_namespace in policy_vals
and this_policy_name in policy_vals[this_policy_namespace]
):
full_names.setdefault(this_policy_namespace, {})
full_names[this_policy_namespace][this_policy_name] = _getFullPolicyName(
policy_item=admx_policy,
policy_name=admx_policy.attrib["name"],
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
# Make sure the we're passing the full policy name
# This issue was found when setting the `Allow Telemetry` setting
# All following states would show a change in this setting
# When the state does its first `lgpo.get` it would return `AllowTelemetry`
# On the second run, it would return `Allow Telemetry`
# This makes sure we're always returning the full_name when required
if this_policy_name in policy_vals[this_policy_namespace][this_policy_name]:
full_name = full_names[this_policy_namespace][this_policy_name]
setting = policy_vals[this_policy_namespace][this_policy_name].pop(
this_policy_name
)
policy_vals[this_policy_namespace][this_policy_name][full_name] = setting
if (
this_policy_namespace in policy_vals
and this_policy_name in policy_vals[this_policy_namespace]
):
hierarchy.setdefault(this_policy_namespace, {})[this_policy_name] = (
_build_parent_list(
policy_definition=admx_policy,
return_full_policy_names=return_full_policy_names,
adml_language=adml_language,
)
)
if policy_vals and return_full_policy_names and not hierarchical_return:
log.debug("Compiling non hierarchical return...")
unpathed_dict = {}
pathed_dict = {}
for policy_namespace in list(policy_vals):
for policy_item in list(policy_vals[policy_namespace]):
full_name = full_names[policy_namespace][policy_item]
if full_name in policy_vals[policy_namespace]:
# add this item with the path'd full name
full_path_list = hierarchy[policy_namespace][policy_item]
full_path_list.reverse()
full_path_list.append(full_names[policy_namespace][policy_item])
policy_vals["\\".join(full_path_list)] = policy_vals[
policy_namespace
].pop(policy_item)
pathed_dict[full_name] = True
else:
policy_vals[policy_namespace][full_name] = policy_vals[
policy_namespace
].pop(policy_item)
unpathed_dict.setdefault(policy_namespace, {})[
full_name
] = policy_item
# go back and remove any "unpathed" policies that need a full path
for path_needed in unpathed_dict.get(policy_namespace, {}):
# remove the item with the same full name and re-add it w/a path'd version
full_path_list = hierarchy[policy_namespace][
unpathed_dict[policy_namespace][path_needed]
]
full_path_list.reverse()
full_path_list.append(path_needed)
log.trace("full_path_list == %s", full_path_list)
policy_vals["\\".join(full_path_list)] = policy_vals[
policy_namespace
].pop(path_needed)
for policy_namespace in list(policy_vals):
# Remove empty entries
if policy_vals[policy_namespace] == {}:
policy_vals.pop(policy_namespace)
# Remove namespace and keep the values
elif isinstance(policy_vals[policy_namespace], dict):
if this_policy_namespace == policy_namespace and not hierarchical_return:
policy_vals.update(policy_vals[policy_namespace])
policy_vals.pop(policy_namespace)
if policy_vals and hierarchical_return:
if hierarchy:
log.debug("Compiling hierarchical return...")
for policy_namespace in hierarchy:
for hierarchy_item in hierarchy[policy_namespace]:
if hierarchy_item in policy_vals[policy_namespace]:
t_dict = {}
first_item = True
for item in hierarchy[policy_namespace][hierarchy_item]:
new_dict = {}
if first_item:
h_policy_name = hierarchy_item
if return_full_policy_names:
h_policy_name = full_names[policy_namespace][
hierarchy_item
]
new_dict[item] = {
h_policy_name: policy_vals[policy_namespace].pop(
hierarchy_item
)
}
first_item = False
else:
new_dict[item] = t_dict
t_dict = new_dict
if t_dict:
policy_vals = dictupdate.update(policy_vals, t_dict)
if (
policy_namespace in policy_vals
and policy_vals[policy_namespace] == {}
):
policy_vals.pop(policy_namespace)
policy_vals = {
CLASS_INFO[policy_class]["lgpo_section"]: {
"Administrative Templates": policy_vals
}
}
return policy_vals
def get_policy(
policy_name,
policy_class,
adml_language="en-US",
return_value_only=True,
return_full_policy_names=True,
hierarchical_return=False,
):
r"""
Get the current settings for a single policy on the machine
Args:
policy_name (str):
The name of the policy to retrieve. Can be the any of the names
or alieses returned by ``lgpo.get_policy_info``
policy_class (str):
The policy class. Must be one of ``machine`` or ``user``
adml_language (str):
The language code for the adml file to use for localization. The
default is ``en-US``
return_value_only (bool):
``True`` will return only the value for the policy, without the
name of the policy. ``return_full_policy_names`` and
``hierarchical_return`` will be ignored. Default is ``True``
return_full_policy_names (bool):
Returns the full policy name regardless of what was passed in
``policy_name``
.. note::
This setting applies to sub-elements of the policy if they
exist. The value passed in ``policy_name`` will always be used
as the policy name when this setting is ``False``
hierarchical_return (bool):
Returns a hierarchical view of the policy showing its parents
Returns:
dict: A dictionary containing the policy settings
CLI Example:
.. code-block:: bash
# Using the policy id
salt * lgpo.get_policy LockoutDuration machine
salt * lgpo.get_policy AutoUpdateCfg machine
# Using the full name
salt * lgpo.get_policy "Account lockout duration" machine
salt * lgpo.get_policy "Configure Automatic Updates" machine
# Using full path and name
salt * lgpo.get_policy "Windows Components\Windows Update\Configure Automatic Updates" machine
"""
if not policy_name:
raise SaltInvocationError("policy_name must be defined")
if not policy_class:
raise SaltInvocationError("policy_class must be defined")
policy_class = policy_class.title()
policy_data = _policy_info()
if policy_class not in policy_data.policies:
policy_classes = ", ".join(policy_data.policies.keys())
raise CommandExecutionError(
'The requested policy class "{}" is invalid, policy_class should '
"be one of: {}".format(policy_class, policy_classes)
)
# Look in the _policy_data object first
policy_definition = None
if policy_name in policy_data.policies[policy_class]["policies"]:
policy_definition = policy_data.policies[policy_class]["policies"][policy_name]
else:
# Case-sensitive search first
for pol in policy_data.policies[policy_class]["policies"]:
_p = policy_data.policies[policy_class]["policies"][pol]["Policy"]
if _p == policy_name:
policy_definition = policy_data.policies[policy_class]["policies"][pol]
break
if policy_definition is None:
# Still not found, case-insensitive search
for pol in policy_data.policies[policy_class]["policies"]:
_p = policy_data.policies[policy_class]["policies"][pol]["Policy"]
if _p.lower() == policy_name.lower():
policy_definition = policy_data.policies[policy_class]["policies"][
pol
]
break
if policy_definition:
if return_value_only:
return _get_policy_info_setting(policy_definition)
if return_full_policy_names:
key_name = policy_definition["Policy"]
else:
key_name = policy_name
setting = {key_name: _get_policy_info_setting(policy_definition)}
if hierarchical_return:
if "lgpo_section" in policy_definition:
first_item = True
t_dict = {}
for level in reversed(policy_definition["lgpo_section"]):
new_dict = {}
if first_item:
new_dict[level] = {key_name: setting.pop(key_name)}
first_item = False
else:
new_dict[level] = t_dict
t_dict = new_dict
if t_dict:
setting = t_dict
return setting
success, policy_obj, _, _ = _lookup_admin_template(
policy_name=policy_name, policy_class=policy_class, adml_language=adml_language
)
if success:
setting = _get_policy_adm_setting(
admx_policy=policy_obj,
policy_class=policy_class,
adml_language=adml_language,
return_full_policy_names=return_full_policy_names,
hierarchical_return=hierarchical_return,
)
if return_value_only:
for key in setting:
return setting[key]
return setting
def set_computer_policy(
name, setting, cumulative_rights_assignments=True, adml_language="en-US"
):
"""
Set a single computer policy
Args:
name (str):
The name of the policy to configure
setting (str):
The setting to configure the named policy with
cumulative_rights_assignments (bool): Determine how user rights
assignment policies are configured. If True, user right assignment
specifications are simply added to the existing policy. If False,
only the users specified will get the right (any existing will have
the right revoked)
adml_language (str): The language files to use for looking up
Administrative Template policy data (i.e. how the policy is
displayed in the GUI). Defaults to 'en-US' (U.S. English).
Returns:
bool: True if successful, otherwise False
CLI Example:
.. code-block:: bash
salt '*' lgpo.set_computer_policy LockoutDuration 1440
"""
ret = set_(
computer_policy={name: setting},
user_policy=None,
cumulative_rights_assignments=cumulative_rights_assignments,
adml_language=adml_language,
)
return ret
def set_user_policy(name, setting, adml_language="en-US"):
"""
Set a single user policy
Args:
name (str):
The name of the policy to configure
setting (str):
The setting to configure the named policy with
adml_language (str):
The language files to use for looking up Administrative Template
policy data (i.e. how the policy is displayed in the GUI). Defaults
to 'en-US' (U.S. English).
Returns:
bool: True if successful, Otherwise False
CLI Example:
.. code-block:: bash
salt '*' lgpo.set_user_policy "Control Panel\\Display\\Disable the Display Control Panel" Enabled
"""
ret = set_(
user_policy={name: setting},
computer_policy=None,
cumulative_rights_assignments=True,
adml_language=adml_language,
)
return ret
def set_(
computer_policy=None,
user_policy=None,
cumulative_rights_assignments=True,
adml_language="en-US",
):
"""
Set a local server policy.
Args:
computer_policy (dict):
A dictionary of "policyname: value" pairs of computer policies to
set. 'value' should be how it is displayed in the gpedit GUI, i.e.
if a setting can be 'Enabled'/'Disabled', then that should be passed
Administrative Template data may require dicts within dicts, to
specify each element of the Administrative Template policy.
Administrative Templates policies are always cumulative.
Policy names can be specified in a number of ways based on the type
of policy:
Windows Settings Policies:
These policies can be specified using the GUI display name
or the key name from the _policy_info class in this module.
The GUI display name is also contained in the _policy_info
class in this module.
Administrative Template Policies:
These can be specified using the policy name as displayed in
the GUI (case sensitive). Some policies have the same name,
but a different location (for example, "Access data sources
across domains"). These can be differentiated by the "path"
in the GUI (for example, "Windows Components\\Internet
Explorer\\Internet Control Panel\\Security Page\\Internet
Zone\\Access data sources across domains").
Additionally, policies can be specified using the "name" and
"id" attributes from the ADMX files.
For Administrative Templates that have policy elements, each
element can be specified using the text string as seen in
the GUI or using the ID attribute from the ADMX file. Due to
the way some of the GUI text is laid out, some policy
element names could include descriptive text that appears
lbefore the policy element in the GUI.
Use the get_policy_info function for the policy name to view
the element ID/names that the module will accept.
user_policy (dict):
The same setup as the computer_policy, except with data to configure
the local user policy.
cumulative_rights_assignments (bool):
Determine how user rights assignment policies are configured.
If True, user right assignment specifications are simply added to
the existing policy
If False, only the users specified will get the right (any existing
will have the right revoked)
adml_language (str):
The language files to use for looking up Administrative Template
policy data (i.e. how the policy is displayed in the GUI). Defaults
to 'en-US' (U.S. English).
Returns:
bool: True is successful, otherwise False
CLI Example:
.. code-block:: bash
salt '*' lgpo.set computer_policy="{'LockoutDuration': 2, 'RestrictAnonymous': 'Enabled', 'AuditProcessTracking': 'Succes, Failure'}"
"""
if computer_policy and not isinstance(computer_policy, dict):
raise SaltInvocationError("computer_policy must be specified as a dict")
if user_policy and not isinstance(user_policy, dict):
raise SaltInvocationError("user_policy must be specified as a dict")
policies = {"User": user_policy, "Machine": computer_policy}
if policies:
adml_policy_resources = _get_policy_resources(language=adml_language)
for p_class in policies:
_secedits = {}
_netshs = {}
_advaudits = {}
_modal_sets = {}
_admTemplateData = {}
_regedits = {}
_lsarights = {}
_policydata = _policy_info()
if policies[p_class]:
for policy_name in policies[p_class]:
_pol = None
policy_key_name = policy_name
if policy_name in _policydata.policies[p_class]["policies"]:
_pol = _policydata.policies[p_class]["policies"][policy_name]
else:
# Case-sensitive search first
for policy in _policydata.policies[p_class]["policies"]:
_p = _policydata.policies[p_class]["policies"][policy][
"Policy"
]
if _p == policy_name:
_pol = _policydata.policies[p_class]["policies"][policy]
policy_key_name = policy
if _pol is None:
# Still not found, case-insensitive search
for policy in _policydata.policies[p_class]["policies"]:
_p = _policydata.policies[p_class]["policies"][policy][
"Policy"
]
# Case-sensitive search first
if _p.lower() == policy_name.lower():
_pol = _policydata.policies[p_class]["policies"][
policy
]
policy_key_name = policy
if _pol:
# transform and validate the setting
_value = _transform_value(
value=policies[p_class][policy_name],
policy=_policydata.policies[p_class]["policies"][
policy_key_name
],
transform_type="Put",
)
if not _validateSetting(
value=_value,
policy=_policydata.policies[p_class]["policies"][
policy_key_name
],
):
raise SaltInvocationError(
"The specified value {} is not an acceptable setting"
" for policy {}.".format(
policies[p_class][policy_name], policy_name
)
)
if "Registry" in _pol:
# set value in registry
log.trace("%s is a registry policy", policy_name)
_regedits[policy_name] = {"policy": _pol, "value": _value}
elif "Secedit" in _pol:
# set value with secedit
log.trace("%s is a Secedit policy", policy_name)
if _pol["Secedit"]["Section"] not in _secedits:
_secedits[_pol["Secedit"]["Section"]] = []
_secedits[_pol["Secedit"]["Section"]].append(
" ".join([_pol["Secedit"]["Option"], "=", str(_value)])
)
elif "NetSH" in _pol:
# set value with netsh
log.trace("%s is a NetSH policy", policy_name)
_netshs.setdefault(
policy_name,
{
"profile": _pol["NetSH"]["Profile"],
"section": _pol["NetSH"]["Section"],
"option": _pol["NetSH"]["Option"],
"value": str(_value),
},
)
elif "AdvAudit" in _pol:
# set value with advaudit
_advaudits.setdefault(
policy_name,
{
"option": _pol["AdvAudit"]["Option"],
"value": str(_value),
},
)
elif "NetUserModal" in _pol:
# set value via NetUserModal
log.trace("%s is a NetUserModal policy", policy_name)
if _pol["NetUserModal"]["Modal"] not in _modal_sets:
_modal_sets[_pol["NetUserModal"]["Modal"]] = {}
_modal_sets[_pol["NetUserModal"]["Modal"]][
_pol["NetUserModal"]["Option"]
] = _value
elif "LsaRights" in _pol:
log.trace("%s is a LsaRights policy", policy_name)
_lsarights[policy_name] = {"policy": _pol, "value": _value}
else:
_value = policies[p_class][policy_name]
log.trace('searching for "%s" in admx data', policy_name)
(
success,
the_policy,
policy_name_list,
msg,
) = _lookup_admin_template(
policy_name=policy_name,
policy_class=p_class,
adml_language=adml_language,
)
if success:
policy_name = the_policy.attrib["name"]
policy_namespace = the_policy.nsmap[the_policy.prefix]
if policy_namespace not in _admTemplateData:
_admTemplateData[policy_namespace] = {}
_admTemplateData[policy_namespace][policy_name] = _value
else:
raise SaltInvocationError(msg)
if (
policy_namespace
and policy_name in _admTemplateData[policy_namespace]
and the_policy is not None
):
log.trace(
"setting == %s",
str(
_admTemplateData[policy_namespace][policy_name]
).lower(),
)
log.trace(
str(
_admTemplateData[policy_namespace][policy_name]
).lower()
)
if (
str(
_admTemplateData[policy_namespace][policy_name]
).lower()
!= "disabled"
and str(
_admTemplateData[policy_namespace][policy_name]
).lower()
!= "not configured"
):
if ELEMENTS_XPATH(the_policy):
if isinstance(
_admTemplateData[policy_namespace][policy_name],
dict,
):
for elements_item in ELEMENTS_XPATH(the_policy):
for child_item in elements_item:
# check each element
log.trace(
"checking element %s",
child_item.attrib["id"],
)
temp_element_name = None
this_element_name = _getFullPolicyName(
policy_item=child_item,
policy_name=child_item.attrib["id"],
return_full_policy_names=True,
adml_language=adml_language,
)
log.trace(
'id attribute == "%s" '
' this_element_name == "%s"',
child_item.attrib["id"],
this_element_name,
)
if (
this_element_name
in _admTemplateData[
policy_namespace
][policy_name]
):
temp_element_name = (
this_element_name
)
elif (
child_item.attrib["id"]
in _admTemplateData[
policy_namespace
][policy_name]
):
temp_element_name = (
child_item.attrib["id"]
)
else:
raise SaltInvocationError(
'Element "{}" must be included'
" in the policy configuration"
" for policy {}".format(
this_element_name,
policy_name,
)
)
if (
"required" in child_item.attrib
and child_item.attrib[
"required"
].lower()
== "true"
):
if not _admTemplateData[
policy_namespace
][policy_name][temp_element_name]:
raise SaltInvocationError(
'Element "{}" requires a value '
"to be specified".format(
temp_element_name
)
)
if (
etree.QName(child_item).localname
== "boolean"
):
if not isinstance(
_admTemplateData[
policy_namespace
][policy_name][
temp_element_name
],
bool,
):
raise SaltInvocationError(
"Element {} requires a boolean "
"True or False".format(
temp_element_name
)
)
elif (
etree.QName(child_item).localname
== "decimal"
or etree.QName(child_item).localname
== "longDecimal"
):
min_val = 0
max_val = 9999
if "minValue" in child_item.attrib:
min_val = int(
child_item.attrib[
"minValue"
]
)
if "maxValue" in child_item.attrib:
max_val = int(
child_item.attrib[
"maxValue"
]
)
if (
int(
_admTemplateData[
policy_namespace
][policy_name][
temp_element_name
]
)
< min_val
or int(
_admTemplateData[
policy_namespace
][policy_name][
temp_element_name
]
)
> max_val
):
raise SaltInvocationError(
'Element "{}" value must be between '
"{} and {}".format(
temp_element_name,
min_val,
max_val,
)
)
elif (
etree.QName(child_item).localname
== "enum"
):
# make sure the value is in the enumeration
found = False
for enum_item in child_item:
if (
_admTemplateData[
policy_namespace
][policy_name][
temp_element_name
]
== _getAdmlDisplayName(
adml_policy_resources,
enum_item.attrib[
"displayName"
],
).strip()
):
found = True
break
if not found:
raise SaltInvocationError(
'Element "{}" does not have'
" a valid value".format(
temp_element_name
)
)
elif (
etree.QName(child_item).localname
== "list"
):
if (
"explicitValue"
in child_item.attrib
and child_item.attrib[
"explicitValue"
].lower()
== "true"
):
if not isinstance(
_admTemplateData[
policy_namespace
][policy_name][
temp_element_name
],
dict,
):
raise SaltInvocationError(
"Each list item of element "
'"{}" requires a dict '
"value".format(
temp_element_name
)
)
elif not isinstance(
_admTemplateData[
policy_namespace
][policy_name][
temp_element_name
],
list,
):
raise SaltInvocationError(
'Element "{}" requires a'
" list value".format(
temp_element_name
)
)
elif (
etree.QName(child_item).localname
== "multiText"
):
if not isinstance(
_admTemplateData[
policy_namespace
][policy_name][
temp_element_name
],
list,
):
raise SaltInvocationError(
'Element "{}" requires a'
" list value".format(
temp_element_name
)
)
_admTemplateData[policy_namespace][
policy_name
][
child_item.attrib["id"]
] = _admTemplateData[
policy_namespace
][
policy_name
].pop(
temp_element_name
)
else:
raise SaltInvocationError(
'The policy "{}" has elements which must be'
" configured".format(policy_name)
)
else:
if (
str(
_admTemplateData[policy_namespace][
policy_name
]
).lower()
!= "enabled"
):
raise SaltInvocationError(
'The policy {} must either be "Enabled", '
'"Disabled", or "Not Configured"'.format(
policy_name
)
)
if _regedits:
for regedit in _regedits:
log.trace("%s is a Registry policy", regedit)
# if the value setting is None or "(value not set)", we will delete the value from the registry
if (
_regedits[regedit]["value"] is not None
and _regedits[regedit]["value"] != "(value not set)"
):
_ret = __utils__["reg.set_value"](
_regedits[regedit]["policy"]["Registry"]["Hive"],
_regedits[regedit]["policy"]["Registry"]["Path"],
_regedits[regedit]["policy"]["Registry"]["Value"],
_regedits[regedit]["value"],
_regedits[regedit]["policy"]["Registry"]["Type"],
)
else:
_ret = __utils__["reg.read_value"](
_regedits[regedit]["policy"]["Registry"]["Hive"],
_regedits[regedit]["policy"]["Registry"]["Path"],
_regedits[regedit]["policy"]["Registry"]["Value"],
)
if _ret["success"] and _ret["vdata"] != "(value not set)":
_ret = __utils__["reg.delete_value"](
_regedits[regedit]["policy"]["Registry"]["Hive"],
_regedits[regedit]["policy"]["Registry"]["Path"],
_regedits[regedit]["policy"]["Registry"]["Value"],
)
if not _ret:
raise CommandExecutionError(
"Error while attempting to set policy {} via the"
" registry. Some changes may not be applied as"
" expected".format(regedit)
)
if _lsarights:
for lsaright in _lsarights:
_existingUsers = None
if not cumulative_rights_assignments:
_existingUsers = _getRightsAssignments(
_lsarights[lsaright]["policy"]["LsaRights"]["Option"]
)
if _lsarights[lsaright]["value"]:
for acct in _lsarights[lsaright]["value"]:
_ret = _addAccountRights(
acct,
_lsarights[lsaright]["policy"]["LsaRights"][
"Option"
],
)
if not _ret:
raise SaltInvocationError(
"An error occurred attempting to configure the"
" user right {}.".format(lsaright)
)
if _existingUsers:
for acct in _existingUsers:
if acct not in _lsarights[lsaright]["value"]:
_ret = _delAccountRights(
acct,
_lsarights[lsaright]["policy"]["LsaRights"][
"Option"
],
)
if not _ret:
raise SaltInvocationError(
"An error occurred attempting to remove previously "
"configured users with right {}.".format(
lsaright
)
)
if _secedits:
# we've got secedits to make
log.trace(_secedits)
ini_data = "\r\n".join(["[Unicode]", "Unicode=yes"])
_seceditSections = [
"System Access",
"Event Audit",
"Registry Values",
"Privilege Rights",
]
for _seceditSection in _seceditSections:
if _seceditSection in _secedits:
ini_data = "\r\n".join(
[
ini_data,
"".join(["[", _seceditSection, "]"]),
"\r\n".join(_secedits[_seceditSection]),
]
)
ini_data = "\r\n".join(
[ini_data, "[Version]", 'signature="$CHICAGO$"', "Revision=1"]
)
log.trace("ini_data == %s", ini_data)
if not _write_secedit_data(ini_data):
raise CommandExecutionError(
"Error while attempting to set policies via "
"secedit. Some changes may not be applied as "
"expected"
)
if _netshs:
# we've got netsh settings to make
for setting in _netshs:
log.trace("Setting firewall policy: %s", setting)
log.trace(_netshs[setting])
_set_netsh_value(**_netshs[setting])
if _advaudits:
# We've got AdvAudit settings to make
for setting in _advaudits:
log.trace("Setting Advanced Audit policy: %s", setting)
log.trace(_advaudits[setting])
_set_advaudit_value(**_advaudits[setting])
if _modal_sets:
# we've got modalsets to make
log.trace(_modal_sets)
for _modal_set in _modal_sets:
try:
_existingModalData = win32net.NetUserModalsGet(
None, _modal_set
)
_newModalSetData = dictupdate.update(
_existingModalData, _modal_sets[_modal_set]
)
log.trace("NEW MODAL SET = %s", _newModalSetData)
_ret = win32net.NetUserModalsSet(
None, _modal_set, _newModalSetData
)
# TODO: This needs to be more specific
except Exception as exc: # pylint: disable=broad-except
msg = (
"An unhandled exception occurred while "
"attempting to set policy via "
"NetUserModalSet\n{}".format(exc)
)
log.exception(msg)
raise CommandExecutionError(msg)
if _admTemplateData:
_ret = False
log.trace(
"going to write some adm template data :: %s", _admTemplateData
)
_ret = _writeAdminTemplateRegPolFile(
_admTemplateData,
adml_language=adml_language,
registry_class=p_class,
)
if not _ret:
raise CommandExecutionError(
"Error while attempting to write Administrative Template"
" Policy data. Some changes may not be applied as expected"
)
return True
else:
raise SaltInvocationError("You have to specify something!")
Zerion Mini Shell 1.0