From 4a72440cc7d40d71e8c55ec13555fbd32494fda3 Mon Sep 17 00:00:00 2001
From: "Steve Lee (POWERSHELL HE/HIM) (from Dev Box)"
 <slee@ntdev.microsoft.com>
Date: Thu, 10 Oct 2024 16:08:44 -0700
Subject: [PATCH 1/3] initial configs

---
 build.ps1                                     |  4 +-
 configurations/windows_baseline.dsc.yaml      | 62 +++++++++++++++++++
 .../windows_inventory.dsc.yaml                | 13 +++-
 wmi-adapter/Tests/wmi.tests.ps1               |  2 +-
 4 files changed, 78 insertions(+), 3 deletions(-)
 create mode 100644 configurations/windows_baseline.dsc.yaml
 rename dsc/examples/wmi_inventory.dsc.yaml => configurations/windows_inventory.dsc.yaml (71%)

diff --git a/build.ps1 b/build.ps1
index 4c3187f6..5201bf11 100644
--- a/build.ps1
+++ b/build.ps1
@@ -44,7 +44,9 @@ $filesForWindowsPackage = @(
     'RunCommandOnSet.exe',
     'windowspowershell.dsc.resource.json',
     'wmi.dsc.resource.json',
-    'wmi.resource.ps1'
+    'wmi.resource.ps1',
+    'configurations/windows_baseline.dsc.yaml',
+    'configurations/windows_inventory.dsc.yaml'
 )
 
 $filesForLinuxPackage = @(
diff --git a/configurations/windows_baseline.dsc.yaml b/configurations/windows_baseline.dsc.yaml
new file mode 100644
index 00000000..e2e9c0ca
--- /dev/null
+++ b/configurations/windows_baseline.dsc.yaml
@@ -0,0 +1,62 @@
+# This configuration validates a Windows system against a security baseline configuration
+$schema: https://raw.githubusercontent.com/PowerShell/DSC/main/schemas/2024/04/config/document.json
+metadata:
+  Microsoft.DSC:
+    securityContext: Elevated
+resources:
+- name: Validate the OS is Windows
+  type: Microsoft.DSC/Assertion
+  properties:
+    $schema: https://raw.githubusercontent.com/PowerShell/DSC/main/schemas/2024/04/config/document.json
+    resources:
+    - name: os
+      type: Microsoft/OSInfo
+      properties:
+        family: Windows
+- name: Registry checks
+  type: Microsoft.DSC/Group
+  dependsOn: 
+    - "[resourceId('Microsoft.DSC/Assertion','Validate the OS is Windows')]"
+  properties:
+    $schema: https://raw.githubusercontent.com/PowerShell/DSC/main/schemas/2024/04/config/document.json
+    resources:
+      - name: Default RDP port
+        type: Microsoft.Windows/Registry
+        metadata:
+          area: Network Access
+          severity: Critical
+        properties:
+          keyPath: HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
+          valueName: PortNumber
+          valueData:
+            DWord: 3389
+      - name: Disable SMBv1
+        type: Microsoft.Windows/Registry
+        metadata:
+          area: Network Access
+          severity: Critical
+        properties:
+          keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
+          valueName: SMB1
+          valueData:
+            DWord: 0 # Disabled
+      - name: Disable Windows Search service
+        type: Microsoft.Windows/Registry
+        metadata:
+          area: Services
+          severity: Critical
+        properties:
+          keyPath: HKLM\SYSTEM\CurrentControlSet\Services\WSearch
+          valueName: Start
+          valueData:
+            DWord: 4 # Disabled
+      - name: Scan Removeable Drives
+        type: Microsoft.Windows/Registry
+        metadata:
+          area: Services
+          severity: Critical
+        properties:
+          keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
+          valueName: DisableRemovableDriveScanning
+          valueData:
+            DWord: 0 # Disabled
diff --git a/dsc/examples/wmi_inventory.dsc.yaml b/configurations/windows_inventory.dsc.yaml
similarity index 71%
rename from dsc/examples/wmi_inventory.dsc.yaml
rename to configurations/windows_inventory.dsc.yaml
index 9f004d1c..30f1ea18 100644
--- a/dsc/examples/wmi_inventory.dsc.yaml
+++ b/configurations/windows_inventory.dsc.yaml
@@ -1,7 +1,18 @@
 $schema: https://raw.githubusercontent.com/PowerShell/DSC/main/schemas/2024/04/config/document.json
 resources:
+- name: Validate the OS is Windows
+  type: Microsoft.DSC/Assertion
+  properties:
+    $schema: https://raw.githubusercontent.com/PowerShell/DSC/main/schemas/2024/04/config/document.json
+    resources:
+    - name: os
+      type: Microsoft/OSInfo
+      properties:
+        family: Windows
 - name: WMI
   type: Microsoft.Windows/WMI
+  dependsOn:
+    - "[resourceId('Microsoft.DSC/Assertion','Validate the OS is Windows')]"
   properties:
     resources:
       - name: computer system
@@ -39,4 +50,4 @@ resources:
           adaptertype:
           netconnectionid:
           serviceName:
-          netconnectionstatus: 2
+          netconnectionstatus: 2 # Connected
diff --git a/wmi-adapter/Tests/wmi.tests.ps1 b/wmi-adapter/Tests/wmi.tests.ps1
index 2d2dd613..e4145d26 100644
--- a/wmi-adapter/Tests/wmi.tests.ps1
+++ b/wmi-adapter/Tests/wmi.tests.ps1
@@ -47,7 +47,7 @@ Describe 'WMI adapter resource tests' {
     }
 
     It 'Example config works' -Skip:(!$IsWindows) {
-        $configPath = Join-Path $PSScriptRoot '..\..\dsc\examples\wmi_inventory.dsc.yaml'
+        $configPath = Join-Path $PSScriptRoot '..\..\configurations\windows_inventory.dsc.yaml'
         $r = dsc config get -p $configPath
         $LASTEXITCODE | Should -Be 0
         $r | Should -Not -BeNullOrEmpty

From f9c66ebeb52eb88875b749812b74960e9bb06f0e Mon Sep 17 00:00:00 2001
From: "Steve Lee (POWERSHELL HE/HIM) (from Dev Box)"
 <slee@ntdev.microsoft.com>
Date: Wed, 16 Oct 2024 19:30:39 -0700
Subject: [PATCH 2/3] Fix wmi-adapter to not return error if no instances are
 returned

---
 wmi-adapter/wmi.resource.ps1 | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/wmi-adapter/wmi.resource.ps1 b/wmi-adapter/wmi.resource.ps1
index 908e987c..81154734 100644
--- a/wmi-adapter/wmi.resource.ps1
+++ b/wmi-adapter/wmi.resource.ps1
@@ -165,12 +165,6 @@ elseif ($Operation -eq 'Get')
 
                 $result += @($instance_result)
             }
-            else
-            {
-                $errmsg = "Can not find type " + $r.type + "; please ensure that Get-CimInstance returns this resource type"
-                Write-Trace $errmsg
-                exit 1
-            }
         }
     }
     else # we are processing an individual resource call

From 8affd55e8cf21797ca00b971155b08832cd17924 Mon Sep 17 00:00:00 2001
From: "Steve Lee (POWERSHELL HE/HIM) (from Dev Box)"
 <slee@ntdev.microsoft.com>
Date: Wed, 16 Oct 2024 20:06:39 -0700
Subject: [PATCH 3/3] fix test to look at wmi result and not osinfo

---
 wmi-adapter/Tests/wmi.tests.ps1 | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/wmi-adapter/Tests/wmi.tests.ps1 b/wmi-adapter/Tests/wmi.tests.ps1
index e4145d26..6ad3971a 100644
--- a/wmi-adapter/Tests/wmi.tests.ps1
+++ b/wmi-adapter/Tests/wmi.tests.ps1
@@ -52,10 +52,10 @@ Describe 'WMI adapter resource tests' {
         $LASTEXITCODE | Should -Be 0
         $r | Should -Not -BeNullOrEmpty
         $res = $r | ConvertFrom-Json
-        $res.results[0].result.actualState[0].Name | Should -Not -BeNullOrEmpty
-        $res.results[0].result.actualState[0].BootupState | Should -BeNullOrEmpty
-        $res.results[0].result.actualState[1].Caption | Should -Not -BeNullOrEmpty
-        $res.results[0].result.actualState[1].BuildNumber | Should -BeNullOrEmpty
-        $res.results[0].result.actualState[4].AdapterType | Should -BeLike "Ethernet*"
+        $res.results[1].result.actualState[0].Name | Should -Not -BeNullOrEmpty
+        $res.results[1].result.actualState[0].BootupState | Should -BeNullOrEmpty
+        $res.results[1].result.actualState[1].Caption | Should -Not -BeNullOrEmpty
+        $res.results[1].result.actualState[1].BuildNumber | Should -BeNullOrEmpty
+        $res.results[1].result.actualState[4].AdapterType | Should -BeLike "Ethernet*"
     }
 }