This is the XOAP PowerShell DSC configuration repository.
It is part of our XOAP Automation Forces Open Source community library to give you a quick start into Infrastructure as Code deployments with PowerShell DSC in addition to config.XO.
Please check the links for more info, including usage information and full documentation:
This repository hosts some of the most common DSC configurations that we use in our projects.
You will find the following DSC configurations in this repository:
- Citrix infrastructure and Citrix optimizer configurations
- DoD STIG configurations
- general Windows configurations
- Microsoft security baseline configurations
All configurations are provided AS IS. We are not responsible for anything that happens inside your environment because you applied the configurations and did not test them thoroughly before doing so.
Be sure to always test any of those configurations in separated test environment and test clients and servers.
Some of the available DSC configurations make severe changes to security-related configurations and could leave your Windows operating system in an unusable state.
So please test once, twice or trice.
We are using the following guidelines to write code and make it easier for everyone to follow a distinctive guideline. Please check these links before starting to work on changes.
Git Naming Conventions are an important part of the development process. They describe how Branches, Commit Messages, Pull Requests and Tags should look like to make them easily understandable for everybody in the development chain.
He Conventional Commits specification is a lightweight convention on top of commit messages. It provides an easy set of rules for creating an explicit commit history; which makes it easier to write automated tools on top of.
The better a Pull Request description is, the better a review can understand and decide on how to review the changes. This improves implementation speed and reduces communication between the requester, and the reviewer is resulting in much less overhead.
Writing A Great Pull Request Description
Versioning is a crucial part for Terraform Stacks and Modules. Without version tags you cannot clearly create a stable environment and be sure that your latest changes will not crash your production environment (sure it still can happen, but we are trying our best to implement everything that we can to reduce the risk)
Like this project? Please give it a ★ on our GitHub! It helps us a lot.
Please use the issue tracker to report any bugs or file feature requests.
If you are interested in being a contributor and want to get involved in developing this project, we would love to hear from you! Email us.
PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
- Fork the repo on GitHub
- Clone the project to your own machine
- Commit changes to your own branch
- Push your work back up to your fork
- Submit a Pull Request so that we can review your changes
NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!
On most supported Windows versions, you do not have to do anything. On windows versions prior to Windows Server 2016 or Windows 10, you should install Windows Management Framework 5.1. You can download it here.
A typical DSC configuration looks like this:
Configuration 'MSTF_SecurityBaseline_Edge_v107_Computer'
{
Import-DSCResource -ModuleName 'GPRegistryPolicyDsc' -ModuleVersion '1.2.0'
Node 'MSTF_SecurityBaseline_Edge_v107_Computer'
{
RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\Edge\SitePerProcess'
{
ValueName = 'SitePerProcess'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'HKLM:\Software\Policies\Microsoft\Edge'
}
}
}
MSTF_SecurityBaseline_Edge_v107_Computer -OutputPath 'C:\MSTF_SecurityBaseline_Edge_v107_Computer'In order to compile this example, you need to take care that all the referenced DSC modules are available locally.
You can check availability with:
Get-DcsResourceIf DSC modules are missing, you can install them simply by e.g. running:
Install-Module SecurityPolicyDSCIt could be that you need to install PowerShellGet and the NuGet provider, and that you have to trust the PSGallery to be able to install the DSC modules.
Please be aware that this is the most basic example. We advise to always define the module versions in production environments before compiling them and to implement a versioning system to track changes to those DSC configurations. Not defining versions could lead to compiling errors because of functional changes between module versions.
Defining the versions of the modules could look like this:
Configuration 'MSTF_SecurityBaseline_Edge_v107_Computer'
{
Import-DSCResource -ModuleName 'GPRegistryPolicyDsc' -ModuleVersion '1.2.0' -ModuleVersion '1.2.0'
Node 'MSTF_SecurityBaseline_Edge_v107_Computer'
{
RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\Edge\SitePerProcess'
{
ValueName = 'SitePerProcess'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'HKLM:\Software\Policies\Microsoft\Edge'
}
}
}So now that all DSC modules are available and the module versions are defined, you need to run the following command in your Powershell to compile it locally:
. PATHTOYOURSCRIPT\MSTF_SecurityBaseline_Edge_v107_Computer.ps1
MSTF_SecurityBaseline_Edge_v107_ComputerYou should now have a localhost.mof file in this location.
The last step is to apply this configuration to your local host:
Start-DscConfiguration -Path PATHTOYOURCONFIGURATION\MSTF_SecurityBaseline_Edge_v107_Computer -Verbose -WaitPlease be sure to run all of these commands in PowerShell 5.1
Refer to our documentation here