DSCResources/MSFT_SecurityOption/MSFT_SecurityOption.schema.mof

[ClassVersion("1.0.0.0")]
class MSFT_RestrictedRemoteSamSecurityDescriptor
{
    [Write, ValueMap{"Allow","Deny"},Values{"Allow","Deny"}] String Permission;
    [Write] String Identity;
};
 
[ClassVersion("2.0.0.0"), FriendlyName("SecurityOption")]
class MSFT_SecurityOption : OMI_BaseResource
{
    [Key, Description("Describes the security option to be managed. This could be anything as long as it is unique")] String Name;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Accounts_Administrator_account_status;
    [Write, ValueMap{"This policy is disabled","Users cant add Microsoft accounts","Users cant add or log on with Microsoft accounts"}, Values{"This policy is disabled","Users cant add Microsoft accounts","Users cant add or log on with Microsoft accounts"}] String Accounts_Block_Microsoft_accounts;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Accounts_Guest_account_status;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only;
    [Write] String Accounts_Rename_administrator_account;
    [Write] String Accounts_Rename_guest_account;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Audit_Audit_the_access_of_global_system_objects;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Audit_Audit_the_use_of_Backup_and_Restore_privilege;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Audit_Shut_down_system_immediately_if_unable_to_log_security_audits;
    [Write] String DCOM_Machine_Access_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax;
    [Write] String DCOM_Machine_Launch_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Devices_Allow_undock_without_having_to_log_on;
    [Write, ValueMap{"Administrators","Administrators and Power Users","Administrators and Interactive Users"}, Values{"Administrators","Administrators and Power Users","Administrators and Interactive Users"}] String Devices_Allowed_to_format_and_eject_removable_media;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Devices_Prevent_users_from_installing_printer_drivers;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Devices_Restrict_CD_ROM_access_to_locally_logged_on_user_only;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Devices_Restrict_floppy_access_to_locally_logged_on_user_only;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_controller_Allow_server_operators_to_schedule_tasks;
    [Write, ValueMap{"None","Require Signing"}, Values{"None","Require Signing"}] String Domain_controller_LDAP_server_signing_requirements;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_controller_Refuse_machine_account_password_changes;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Digitally_encrypt_secure_channel_data_when_possible;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Digitally_sign_secure_channel_data_when_possible;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Disable_machine_account_password_changes;
    [Write] String Domain_member_Maximum_machine_account_password_age;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Require_strong_Windows_2000_or_later_session_key;
    [Write, ValueMap{"User displayname, domain and user names","User display name only","Do not display user information"}, Values{"User displayname, domain and user names","User display name only","Do not display user information"}] String Interactive_logon_Display_user_information_when_the_session_is_locked;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Interactive_logon_Do_not_display_last_user_name;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Interactive_logon_Do_not_require_CTRL_ALT_DEL;
    [Write] String Interactive_logon_Machine_account_lockout_threshold;
    [Write] String Interactive_logon_Machine_inactivity_limit;
    [Write] String Interactive_logon_Message_text_for_users_attempting_to_log_on;
    [Write] String Interactive_logon_Message_title_for_users_attempting_to_log_on;
    [Write] String Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available;
    [Write] String Interactive_logon_Prompt_user_to_change_password_before_expiration;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Interactive_logon_Require_Domain_Controller_authentication_to_unlock_workstation;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Interactive_logon_Require_smart_card;
    [Write, ValueMap{"No Action","Lock workstation","Force logoff","Disconnect if a remote Remote Desktop Services session"}, Values{"No Action","Lock workstation","Force logoff","Disconnect if a remote Remote Desktop Services session"}] String Interactive_logon_Smart_card_removal_behavior;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_client_Digitally_sign_communications_always;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_client_Digitally_sign_communications_if_server_agrees;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers;
    [Write] String Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session;
    [Write, ValueMap{"Default","Enabled","Disabled"}, Values{"Default","Enabled","Disabled"}] String Microsoft_network_server_Attempt_S4U2Self_to_obtain_claim_information;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_server_Digitally_sign_communications_always;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_server_Digitally_sign_communications_if_client_agrees;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_server_Disconnect_clients_when_logon_hours_expire;
    [Write, ValueMap{"Off","Accept if provided by client","Required from client"}, Values{"Off","Accept if provided by client","Required from client"}] String Microsoft_network_server_Server_SPN_target_name_validation_level;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Allow_anonymous_SID_Name_translation;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Let_Everyone_permissions_apply_to_anonymous_users;
    [Write] String Network_access_Named_Pipes_that_can_be_accessed_anonymously;
    [Write] String Network_access_Remotely_accessible_registry_paths;
    [Write] String Network_access_Remotely_accessible_registry_paths_and_subpaths;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares;
    [Write, EmbeddedInstance("MSFT_RestrictedRemoteSamSecurityDescriptor"), Description("The Permission and Identity required for restricted remote Sam access")] String Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM[];
    [Write] String Network_access_Shares_that_can_be_accessed_anonymously;
    [Write, ValueMap{"Classic - Local users authenticate as themselves","Guest only - Local users authenticate as Guest"}, Values{"Classic - Local users authenticate as themselves","Guest only - Local users authenticate as Guest"}] String Network_access_Sharing_and_security_model_for_local_accounts;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_security_Allow_LocalSystem_NULL_session_fallback;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities;
    [Write, ValueMap{"DES_CBC_CRC","DES_CBC_MD5","RC4_HMAC_MD5","AES128_HMAC_SHA1","AES256_HMAC_SHA1","FUTURE"}, Values{"DES_CBC_CRC","DES_CBC_MD5","RC4_HMAC_MD5","AES128_HMAC_SHA1","AES256_HMAC_SHA1","FUTURE"}] String Network_security_Configure_encryption_types_allowed_for_Kerberos[];
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_security_Force_logoff_when_logon_hours_expire;
    [Write, ValueMap{"Send LM & NTLM responses","Send LM & NTLM - use NTLMv2 session security if negotiated","Send NTLM responses only","Send NTLMv2 responses only","Send NTLMv2 responses only. Refuse LM","Send NTLMv2 responses only. Refuse LM & NTLM"}, Values{"Send LM & NTLM responses","Send LM & NTLM - use NTLMv2 session security if negotiated","Send NTLM responses only","Send NTLMv2 responses only","Send NTLMv2 responses only. Refuse LM","Send NTLMv2 responses only. Refuse LM & NTLM"}] String Network_security_LAN_Manager_authentication_level;
    [Write, ValueMap{"None","Negotiate Signing","Require Signing"}, Values{"None","Negotiate Signing","Require Signing"}] String Network_security_LDAP_client_signing_requirements;
    [Write, ValueMap{"Require NTLMv2 session security","Require 128-bit encryption","Both options checked"}, Values{"Require NTLMv2 session security","Require 128-bit encryption","Both options checked"}] String Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients;
    [Write, ValueMap{"Require NTLMv2 session security","Require 128-bit encryption","Both options checked"}, Values{"Require NTLMv2 session security","Require 128-bit encryption","Both options checked"}] String Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers;
    [Write] String Network_security_Restrict_NTLM_Add_remote_server_exceptions_for_NTLM_authentication;
    [Write] String Network_security_Restrict_NTLM_Add_server_exceptions_in_this_domain;
    [Write, ValueMap{"Allow all","Deny all domain accounts","Deny all accounts"}, Values{"Allow all","Deny all domain accounts","Deny all accounts"}] String Network_Security_Restrict_NTLM_Incoming_NTLM_Traffic;
    [Write, ValueMap{"Disable","Deny for domain accounts to domain servers","Deny for domain accounts","Deny for domain servers","Deny all"}, Values{"Disable","Deny for domain accounts to domain servers","Deny for domain accounts","Deny for domain servers","Deny all"}] String Network_Security_Restrict_NTLM_NTLM_authentication_in_this_domain;
    [Write, ValueMap{"Allow all","Audit all","Deny all"}, Values{"Allow all","Audit all","Deny all"}] String Network_Security_Restrict_NTLM_Outgoing_NTLM_traffic_to_remote_servers;
    [Write, ValueMap{"Disabled","Enable auditing for domain accounts","Enable auditing for all accounts"}, Values{"Disabled","Enable auditing for domain accounts","Enable auditing for all accounts"}] String Network_Security_Restrict_NTLM_Audit_Incoming_NTLM_Traffic;
    [Write, ValueMap{"Disable","Enable for domain accounts to domain servers","Enable for domain accounts","Enable for domain servers","Enable all"}, Values{"Disable","Enable for domain accounts to domain servers","Enable for domain accounts","Enable for domain servers","Enable all"}] String Network_Security_Restrict_NTLM_Audit_NTLM_authentication_in_this_domain;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Recovery_console_Allow_automatic_administrative_logon;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Recovery_console_Allow_floppy_copy_and_access_to_all_drives_and_folders;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Shutdown_Clear_virtual_memory_pagefile;
    [Write, ValueMap{"User input is not required when new keys are stored and used","User is prompted when the key is first used","User must enter a password each time they use a key"}, Values{"User input is not required when new keys are stored and used","User is prompted when the key is first used","User must enter a password each time they use a key"}] String System_cryptography_Force_strong_key_protection_for_user_keys_stored_on_the_computer;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String System_cryptography_Use_FIPS_compliant_algorithms_for_encryption_hashing_and_signing;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String System_objects_Require_case_insensitivity_for_non_Windows_subsystems;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links;
    [Write] String System_settings_Optional_subsystems;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String System_settings_Use_Certificate_Rules_on_Windows_Executables_for_Software_Restriction_Policies;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop;
    [Write, ValueMap{"Elevate without prompting","Prompt for credentials on the secure desktop","Prompt for consent on the secure desktop","Prompt for credentials","Prompt for consent","Prompt for consent for non-Windows binaries"}, Values{"Elevate without prompting","Prompt for credentials on the secure desktop","Prompt for consent on the secure desktop","Prompt for credentials","Prompt for consent","Prompt for consent for non-Windows binaries"}] String User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode;
    [Write, ValueMap{"Automatically deny elevation request","Prompt for credentials on the secure desktop","Prompt for credentials"}, Values{"Automatically deny elevation request","Prompt for credentials on the secure desktop","Prompt for credentials"}] String User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Detect_application_installations_and_prompt_for_elevation;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Only_elevate_executables_that_are_signed_and_validated;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation;
    [Write, ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Virtualize_file_and_registry_write_failures_to_per_user_locations;
};