Premium module

sce_windows

Security Compliance Enforcement for Windows

Module Stats

1,107 downloads

256 latest version

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Puppet Core

Security Compliance Enforcement uses Puppet policy-as-code (PaC) to enforce security configurations aligned to CIS Benchmarks and DISA STIGs, giving you a leg up on many compliance expectations and streamlining audit prep. In Puppet Enterprise, it is accessed through the included Security Compliance Management Console.

It can be applied to Puppet Enterprise or Puppet Core (see the compatibility list below).

Version information

released Feb 25th 2025

This version is compatible with:

Puppet Enterprise 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
Puppet >= 6.23.0 < 9.0.0

Tasks:

sce_delete_securitypolicy_inf

Tags: security, hardening, compliance, cis, comply

Documentation

puppetlabs/sce_windows — version 2.1.0 Feb 25th 2025

`sce_windows`

Product documentation is available on the Puppet Docs website.

SCE for Windows Reference

CIS Microsoft Windows Server 2016 Benchmark 3.0.0
CIS Microsoft Windows Server 2019 Benchmark 3.0.1
CIS Microsoft Windows Server 2022 Benchmark 3.0.0
CIS Microsoft Windows 10 Stand-alone Benchmark 3.0.0

CIS Microsoft Windows Server 2016 Benchmark 3.0.0

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

Parameters:

dsc_enforce_password_history - [ Optional[Integer[0, 4294967295]] ] - Default: 24

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'":
      dsc_enforce_password_history: 24

Alternate Config IDs:

1.1.1
c1_1_1
ensure_enforce_password_history_is_set_to_24_or_more_passwords

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

Parameters:

dsc_maximum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 60

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'":
      dsc_maximum_password_age: 60

Alternate Config IDs:

1.1.2
c1_1_2
ensure_maximum_password_age_is_set_to_365_or_fewer_days_but_not_0

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

Parameters:

dsc_minimum_password_age - [ Optional[Integer[0, 4294967295]] ] - Default: 1

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
domain_controller, level_1

Hiera Configuration Example:

sce_windows::config:
  control_configs:
    "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'":
      dsc_minimum_password_age: 1

Alternate Config IDs:

1.1.3
c1_1_3
ensure_minimum_password_age_is_set_to_1_or_more_days

Resource:

Class['sce_windows::utils::accountpolicy_wrapper']

1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

Parameters:

dsc_minimum_password_length - [ Optional[Integer[0, 4294967295]] ] - Default: 14

Supported Profiles & Levels:

member_server, level_1
member_server, level_2
do

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started

sce_windows

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Puppet Core

Version information

This version is compatible with:

Tasks:

Documentation

sce_windows

SCE for Windows Reference

Table of Contents

CIS Microsoft Windows Server 2016 Benchmark 3.0.0

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.2 - (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.3 - (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.4 - (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

Parameters:

Supported Profiles & Levels:

`sce_windows`