DSCResources/SecurityBase/SecurityBase.schema.psm1

configuration SecurityBase {
    param (
        [Parameter()]
        [ValidateSet('Baseline', 'WebServer', 'FileServer')]
        [string]
        $Role
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName xPSDesiredStateConfiguration
    Import-DscResource -ModuleName ComputerManagementDsc
    Import-DscResource -ModuleName SecurityPolicyDsc

    #Baseline
    xWindowsFeature DisableSmbV1
    {
        Name   = 'FS-SMB1'
        Ensure = 'Absent'
    }

    PowerShellExecutionPolicy ExecutionPolicyAllSigned
    {
        ExecutionPolicyScope = 'LocalMachine'
        ExecutionPolicy      = 'RemoteSigned'
    }

    UserRightsAssignment DenyLogonLocallyForAdministrator
    {
        Policy   = 'Deny_log_on_locally'
        Identity = 'contoso\Administrator'
    }

    UserRightsAssignment AllowLogonLocally
    {
        Policy   = 'Allow_log_on_locally'
        Identity = 'Administrators', 'Backup Operators'
    }

    #FileServer
    if ($Role -eq 'FileServer')
    {
        SecurityOption SecOptionsFileServer
        {
            Name                                                           = 'Web Server Secutiry options'
            Interactive_logon_Message_title_for_users_attempting_to_log_on = 'Secure File Server'
            Interactive_logon_Message_text_for_users_attempting_to_log_on  = 'Your are logging on to a secure file server'
            Accounts_Rename_administrator_account                          = 'a'
        }
    }

    #Web Server
    if ($Role -eq 'WebServer')
    {
        SecurityOption SecOptionsWebServer
        {
            Name                                                                         = 'Web Server Secutiry options'
            Interactive_logon_Message_title_for_users_attempting_to_log_on               = 'Secure Web Server'
            Interactive_logon_Message_text_for_users_attempting_to_log_on                = 'Your are logging on to a secure web server'
            Accounts_Rename_administrator_account                                        = 'a'
            Network_security_LAN_Manager_authentication_level                            = 'Send NTLMv2 responses only. Refuse LM & NTLM'
            Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change = 'Enabled'
        }
    }
}