test_win_lgpo.py 36 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592
  1. # -*- coding: utf-8 -*-
  2. # Import Python libs
  3. from __future__ import absolute_import, print_function, unicode_literals
  4. import os
  5. import re
  6. import io
  7. import logging
  8. # Import Salt Testing libs
  9. from tests.support.case import ModuleCase
  10. from tests.support.unit import skipIf
  11. from tests.support.helpers import destructiveTest, generate_random_name
  12. from tests.support.runtests import RUNTIME_VARS
  13. # Import Salt libs
  14. import salt.utils.files
  15. import salt.utils.platform
  16. import salt.utils.win_reg as reg
  17. log = logging.getLogger(__name__)
  18. @skipIf(not salt.utils.platform.is_windows(), 'windows test only')
  19. class WinLgpoTest(ModuleCase):
  20. '''
  21. Tests for salt.modules.win_lgpo
  22. '''
  23. osrelease = None
  24. def _testRegistryPolicy(self,
  25. policy_name,
  26. policy_config,
  27. registry_value_hive,
  28. registry_value_path,
  29. registry_value_vname,
  30. expected_value_data):
  31. '''
  32. Takes a registry based policy name and config and validates taht the
  33. expected registry value exists and has the correct data
  34. policy_name
  35. name of the registry based policy to configure
  36. policy_config
  37. the configuration of the policy
  38. registry_value_hive
  39. the registry hive that the policy registry path is in
  40. registry_value_path
  41. the registry value path that the policy updates
  42. registry_value_vname
  43. the registry value name
  44. expected_value_data
  45. the expected data that the value will contain
  46. '''
  47. ret = self.run_function('lgpo.set_computer_policy',
  48. (policy_name, policy_config))
  49. self.assertTrue(ret)
  50. val = reg.read_value(
  51. registry_value_hive,
  52. registry_value_path,
  53. registry_value_vname)
  54. self.assertTrue(val['success'], msg='Failed to obtain the registry data for policy {0}'.format(policy_name))
  55. if val['success']:
  56. self.assertEqual(val['vdata'], expected_value_data, 'The registry value data {0} does not match the expected value {1} for policy {2}'.format(
  57. val['vdata'],
  58. expected_value_data,
  59. policy_name))
  60. def _testSeceditPolicy(self,
  61. policy_name,
  62. policy_config,
  63. expected_regexes,
  64. cumulative_rights_assignments=True):
  65. '''
  66. Takes a secedit policy name and config and validates that the expected
  67. output is returned from secedit
  68. policy_name
  69. name of the secedit policy to configure
  70. policy_config
  71. the configuration of the policy
  72. expected_regexes
  73. the expected regexes to be found in the secedit output file
  74. '''
  75. ret = self.run_function('lgpo.set_computer_policy',
  76. (policy_name, policy_config),
  77. cumulative_rights_assignments=cumulative_rights_assignments)
  78. self.assertTrue(ret)
  79. secedit_output_file = os.path.join(RUNTIME_VARS.TMP, generate_random_name('secedit-output-'))
  80. secedit_output = self.run_function(
  81. 'cmd.run',
  82. (),
  83. cmd='secedit /export /cfg {0}'.format(secedit_output_file))
  84. secedit_file_content = None
  85. if secedit_output:
  86. with io.open(secedit_output_file, encoding='utf-16') as _reader:
  87. secedit_file_content = _reader.read()
  88. for expected_regex in expected_regexes:
  89. match = re.search(
  90. expected_regex,
  91. secedit_file_content,
  92. re.IGNORECASE | re.MULTILINE)
  93. self.assertIsNotNone(match, 'Failed validating policy "{0}" configuration, regex "{1}" not found in secedit output'.format(policy_name, expected_regex))
  94. def _testComputerAdmxPolicy(self,
  95. policy_name,
  96. policy_config,
  97. expected_regexes,
  98. assert_true=True):
  99. '''
  100. Takes a ADMX policy name and config and validates that the expected
  101. output is returned from lgpo looking at the Registry.pol file
  102. policy_name
  103. name of the ADMX policy to configure
  104. policy_config
  105. the configuration of the policy
  106. expected_regexes
  107. the expected regexes to be found in the lgpo parse output
  108. assert_true
  109. set to false if expecting the module run to fail
  110. '''
  111. ret = self.run_function('lgpo.set_computer_policy',
  112. (policy_name, policy_config))
  113. log.debug('lgpo set_computer_policy ret == %s', ret)
  114. cmd = ['lgpo.exe',
  115. '/parse',
  116. '/m',
  117. r'c:\Windows\System32\GroupPolicy\Machine\Registry.pol']
  118. if assert_true:
  119. self.assertTrue(ret)
  120. lgpo_output = self.run_function('cmd.run', (), cmd=' '.join(cmd))
  121. # validate that the lgpo output doesn't say the format is invalid
  122. self.assertIsNone(
  123. re.search(r'Invalid file format\.', lgpo_output, re.IGNORECASE),
  124. msg='Failed validating Registry.pol file format')
  125. # validate that the regexes we expect are in the output
  126. for expected_regex in expected_regexes:
  127. match = re.search(expected_regex, lgpo_output, re.IGNORECASE)
  128. self.assertIsNotNone(
  129. match,
  130. msg='Failed validating policy "{0}" configuration, regex '
  131. '"{1}" not found in lgpo output:\n{2}'
  132. ''.format(policy_name, expected_regex, lgpo_output))
  133. else:
  134. # expecting it to fail
  135. self.assertNotEqual(ret, True)
  136. def runTest(self):
  137. '''
  138. runTest method
  139. '''
  140. pass
  141. @classmethod
  142. def setUpClass(cls):
  143. '''
  144. class setup function, only runs once
  145. downloads and extracts the lgpo.exe tool into c:/windows/system32
  146. for use in validating the registry.pol files
  147. gets osrelease grain for tests that are only applicable to certain
  148. windows versions
  149. '''
  150. osrelease_grains = cls().run_function('grains.item', ['osrelease'])
  151. if 'osrelease' in osrelease_grains:
  152. cls.osrelease = osrelease_grains['osrelease']
  153. else:
  154. log.debug('Unable to get osrelease grain')
  155. if not os.path.exists(r'c:\windows\system32\lgpo.exe'):
  156. log.debug('lgpo.exe does not exist, attempting to download/extract')
  157. ret = cls().run_function('state.single',
  158. ('archive.extracted', r'c:\windows\system32'),
  159. source='https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip',
  160. archive_format='zip',
  161. source_hash='sha256=6ffb6416366652993c992280e29faea3507b5b5aa661c33ba1af31f48acea9c4',
  162. enforce_toplevel=False)
  163. log.debug('ret from archive.unzip == %s', ret)
  164. @destructiveTest
  165. def test_set_computer_policy_NTP_Client(self):
  166. '''
  167. Test setting/unsetting/changing NTP Client policies
  168. '''
  169. # Disable Configure NTP Client
  170. self._testComputerAdmxPolicy(r'System\Windows Time Service\Time Providers\Configure Windows NTP Client',
  171. 'Disabled',
  172. [
  173. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*NtpServer[\s]*DELETE',
  174. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*Type[\s]*DELETE',
  175. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*CrossSiteSyncFlags[\s]*DELETE',
  176. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMinutes[\s]*DELETE',
  177. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMaxTimes[\s]*DELETE',
  178. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*SpecialPollInterval[\s]*DELETE',
  179. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*EventLogFlags[\s]*DELETE'
  180. ])
  181. # Enable Configure NTP Client
  182. self._testComputerAdmxPolicy(r'System\Windows Time Service\Time Providers\Configure Windows NTP Client',
  183. {
  184. 'NtpServer': 'time.windows.com,0x9',
  185. 'Type': 'NT5DS',
  186. 'CrossSiteSyncFlags': 2,
  187. 'ResolvePeerBackoffMinutes': 15,
  188. 'ResolvePeerBackoffMaxTimes': 7,
  189. 'W32TIME_SpecialPollInterval': 3600,
  190. 'W32TIME_NtpClientEventLogFlags': 0
  191. },
  192. [
  193. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*NtpServer[\s]*SZ:time.windows.com,0x9',
  194. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*Type[\s]*SZ:NT5DS',
  195. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*CrossSiteSyncFlags[\s]*DWORD:2',
  196. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMinutes[\s]*DWORD:15',
  197. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMaxTimes[\s]*DWORD:7',
  198. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*SpecialPollInterval[\s]*DWORD:3600',
  199. r'Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*EventLogFlags[\s]*DWORD:0',
  200. ])
  201. # set Configure NTP Client to 'Not Configured'
  202. self._testComputerAdmxPolicy(r'System\Windows Time Service\Time Providers\Configure Windows NTP Client',
  203. 'Not Configured',
  204. [r'; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED.'])
  205. @destructiveTest
  206. def test_set_computer_policy_RA_Unsolicit(self):
  207. '''
  208. Test setting/unsetting/changing RA_Unsolicit policy
  209. '''
  210. # Disable RA_Unsolicit
  211. log.debug('Attempting to disable RA_Unsolicit')
  212. self._testComputerAdmxPolicy('RA_Unsolicit',
  213. 'Disabled',
  214. [
  215. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:0',
  216. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DELETE',
  217. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*\*[\s]*DELETEALLVALUES',
  218. ])
  219. # configure RA_Unsolicit
  220. log.debug('Attempting to configure RA_Unsolicit')
  221. self._testComputerAdmxPolicy('RA_Unsolicit',
  222. {
  223. 'Configure Offer Remote Access': 'Enabled',
  224. 'Permit remote control of this computer': 'Allow helpers to remotely control the computer',
  225. 'Helpers': ['administrators', 'user1']
  226. },
  227. [
  228. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*user1[\s]*SZ:user1[\s]*',
  229. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*administrators[\s]*SZ:administrators[\s]*',
  230. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:1',
  231. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DWORD:1',
  232. ])
  233. # Not Configure RA_Unsolicit
  234. log.debug('Attempting to set RA_Unsolicit to Not Configured')
  235. self._testComputerAdmxPolicy('RA_Unsolicit',
  236. 'Not Configured',
  237. [r'; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED.'])
  238. @destructiveTest
  239. def test_set_computer_policy_Pol_HardenedPaths(self):
  240. # Disable Pol_HardenedPaths
  241. log.debug('Attempting to disable Pol_HardenedPaths')
  242. self._testComputerAdmxPolicy(
  243. 'Pol_HardenedPaths',
  244. 'Disabled',
  245. [r'Computer[\s]*Software\\policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths[\s]*\*[\s]*DELETEALLVALUES'])
  246. # Configure Pol_HardenedPaths
  247. log.debug('Attempting to configure Pol_HardenedPaths')
  248. self._testComputerAdmxPolicy(
  249. 'Pol_HardenedPaths',
  250. {
  251. 'Hardened UNC Paths': {
  252. r'\\*\NETLOGON': 'RequireMutualAuthentication=1, RequireIntegrity=1',
  253. r'\\*\SYSVOL': 'RequireMutualAuthentication=1, RequireIntegrity=1'
  254. }
  255. },
  256. [
  257. r'Computer[\s]*Software\\policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths[\s]*\\\\\*\\NETLOGON[\s]*SZ:RequireMutualAuthentication=1, RequireIntegrity=1[\s]*',
  258. r'Computer[\s]*Software\\policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths[\s]*\\\\\*\\SYSVOL[\s]*SZ:RequireMutualAuthentication=1, RequireIntegrity=1[\s]*',
  259. ])
  260. # Not Configure Pol_HardenedPaths
  261. log.debug('Attempting to set Pol_HardenedPaths to Not Configured')
  262. self._testComputerAdmxPolicy(
  263. 'Pol_HardenedPaths',
  264. 'Not Configured',
  265. [r'; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED.'])
  266. @destructiveTest
  267. def test_set_computer_policy_WindowsUpdate(self):
  268. '''
  269. Test setting/unsetting/changing WindowsUpdate policy
  270. '''
  271. the_policy = {
  272. 'Configure automatic updating': '4 - Auto download and schedule the install',
  273. 'Install during automatic maintenance': False,
  274. 'Scheduled install day': '7 - Every Saturday',
  275. 'Scheduled install time': '17:00',
  276. 'Install updates for other Microsoft products': True
  277. }
  278. the_policy_check = [
  279. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:0',
  280. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DWORD:4',
  281. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DELETE',
  282. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DWORD:7',
  283. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DWORD:17',
  284. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AllowMUUpdateService[\s]*DWORD:1\s*'
  285. ]
  286. # Configure Automatic Updates has different options in 2016 than in 2012
  287. # and has only one boolean item, so we'll test it "False" in this block
  288. # and then "True" in next block
  289. if self.osrelease in ['2012Server', '2012ServerR2']:
  290. the_policy = {
  291. 'Configure automatic updating': '4 - Auto download and schedule the install',
  292. 'Install during automatic maintenance': False,
  293. 'Schedule install day': '7 - Every Saturday',
  294. 'Schedule install time': '17:00',
  295. }
  296. the_policy_check = [
  297. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:0',
  298. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DWORD:4',
  299. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DELETE',
  300. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DWORD:7',
  301. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DWORD:17',
  302. ]
  303. # test as False
  304. self._testComputerAdmxPolicy(r'Windows Components\Windows Update\Configure Automatic Updates',
  305. the_policy,
  306. the_policy_check)
  307. # configure as True for "enable Automatic Updates" test below
  308. the_policy = {
  309. 'Configure automatic updating': '4 - Auto download and schedule the install',
  310. 'Install during automatic maintenance': True,
  311. 'Schedule install day': '7 - Every Saturday',
  312. 'Schedule install time': '17:00',
  313. }
  314. the_policy_check = [
  315. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:0',
  316. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DWORD:4',
  317. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DWORD:1\s*',
  318. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DWORD:7',
  319. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DWORD:17',
  320. ]
  321. # enable Automatic Updates
  322. self._testComputerAdmxPolicy(r'Windows Components\Windows Update\Configure Automatic Updates',
  323. the_policy,
  324. the_policy_check)
  325. # disable Configure Automatic Updates
  326. self._testComputerAdmxPolicy(r'Windows Components\Windows Update\Configure Automatic Updates',
  327. 'Disabled',
  328. [
  329. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:1',
  330. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DELETE',
  331. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DELETE',
  332. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DELETE',
  333. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DELETE',
  334. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AllowMUUpdateService[\s]*DELETE'
  335. ])
  336. # set Configure Automatic Updates to 'Not Configured'
  337. self._testComputerAdmxPolicy(r'Windows Components\Windows Update\Configure Automatic Updates',
  338. 'Not Configured',
  339. [r'; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED.'])
  340. @destructiveTest
  341. def test_set_computer_policy_ClipboardRedirection(self):
  342. '''
  343. Test setting/unsetting/changing ClipboardRedirection policy
  344. '''
  345. # Enable/Disable/Not Configured "Do not allow Clipboard redirection"
  346. self._testComputerAdmxPolicy(r'Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection',
  347. 'Enabled',
  348. [r'Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:1'])
  349. self._testComputerAdmxPolicy(r'Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection',
  350. 'Disabled',
  351. [r'Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0'])
  352. self._testComputerAdmxPolicy(r'Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection',
  353. 'Not Configured',
  354. [r'; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED.'])
  355. @destructiveTest
  356. def test_set_computer_policy_PasswordComplexity(self):
  357. '''
  358. Test setting/unsetting/changing PasswordComplexity
  359. '''
  360. # disable PasswordComplexity
  361. self._testSeceditPolicy('Password must meet complexity requirements',
  362. 'Disabled',
  363. [r'^PasswordComplexity = 0'])
  364. # enable PasswordComplexity
  365. self._testSeceditPolicy('PasswordComplexity',
  366. 'Enabled',
  367. [r'^PasswordComplexity = 1'])
  368. @destructiveTest
  369. def test_set_computer_policy_PasswordLen(self):
  370. '''
  371. Test setting/unsetting/changing PasswordLength
  372. '''
  373. # set Minimum password length
  374. self._testSeceditPolicy('Minimum password length',
  375. 10,
  376. [r'^MinimumPasswordLength = 10'])
  377. # set MinimumPasswordLength = 0
  378. self._testSeceditPolicy('MinPasswordLen',
  379. 0,
  380. [r'^MinimumPasswordLength = 0'])
  381. @destructiveTest
  382. def test_set_computer_policy_SeNetworkLogonRight(self):
  383. '''
  384. Test setting/unsetting/changing PasswordLength
  385. '''
  386. # set SeNetworkLogonRight to only Administrators
  387. self._testSeceditPolicy('Access this computer from the network',
  388. ['Administrators'],
  389. [r'^SeNetworkLogonRight = \*S-1-5-32-544'],
  390. cumulative_rights_assignments=False)
  391. # set SeNetworkLogonRight back to the default
  392. self._testSeceditPolicy('SeNetworkLogonRight',
  393. ['Everyone', 'Administrators', 'Users', 'Backup Operators'],
  394. [r'^SeNetworkLogonRight = \*S-1-1-0,\*S-1-5-32-544,\*S-1-5-32-545,\*S-1-5-32-551'])
  395. @destructiveTest
  396. def test_set_computer_policy_multipleAdmxPolicies(self):
  397. '''
  398. Tests setting several ADMX policies in succession and validating the configuration w/lgop
  399. '''
  400. # set one policy
  401. self._testComputerAdmxPolicy(r'Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection',
  402. 'Disabled',
  403. [r'Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0'])
  404. # set another policy and make sure both this policy and the previous are okay
  405. self._testComputerAdmxPolicy('RA_Unsolicit',
  406. {
  407. 'Configure Offer Remote Access': 'Enabled',
  408. 'Permit remote control of this computer': 'Allow helpers to remotely control the computer',
  409. 'Helpers': ['administrators', 'user1']
  410. },
  411. [
  412. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0',
  413. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*user1[\s]*SZ:user1[\s]*',
  414. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*administrators[\s]*SZ:administrators[\s]*',
  415. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:1',
  416. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DWORD:1',
  417. ])
  418. # Configure Automatic Updates and validate everything is still okay
  419. self._testComputerAdmxPolicy(r'Windows Components\Windows Update\Configure Automatic Updates',
  420. 'Disabled',
  421. [
  422. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0',
  423. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*user1[\s]*SZ:user1[\s]*',
  424. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*administrators[\s]*SZ:administrators[\s]*',
  425. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:1',
  426. r'Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DWORD:1',
  427. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:1',
  428. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DELETE',
  429. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DELETE',
  430. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DELETE',
  431. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DELETE',
  432. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AllowMUUpdateService[\s]*DELETE'
  433. ])
  434. @destructiveTest
  435. def test_set_computer_policy_DisableDomainCreds(self):
  436. '''
  437. Tests Enable/Disable of DisableDomainCreds policy
  438. '''
  439. self._testRegistryPolicy('DisableDomainCreds',
  440. 'Enabled',
  441. 'HKEY_LOCAL_MACHINE',
  442. 'SYSTEM\\CurrentControlSet\\Control\\Lsa',
  443. 'DisableDomainCreds',
  444. 1)
  445. self._testRegistryPolicy(
  446. 'Network access: Do not allow storage of passwords and credentials for network authentication',
  447. 'Disabled',
  448. 'HKEY_LOCAL_MACHINE',
  449. 'SYSTEM\\CurrentControlSet\\Control\\Lsa',
  450. 'DisableDomainCreds',
  451. 0)
  452. @destructiveTest
  453. def test_set_computer_policy_ForceGuest(self):
  454. '''
  455. Tests changing ForceGuest policy
  456. '''
  457. self._testRegistryPolicy('ForceGuest',
  458. 'Guest only - local users authenticate as Guest',
  459. 'HKEY_LOCAL_MACHINE',
  460. 'SYSTEM\\CurrentControlSet\\Control\\Lsa',
  461. 'ForceGuest',
  462. 1)
  463. self._testRegistryPolicy(
  464. 'Network access: Sharing and security model for local accounts',
  465. 'Classic - local users authenticate as themselves',
  466. 'HKEY_LOCAL_MACHINE',
  467. 'SYSTEM\\CurrentControlSet\\Control\\Lsa',
  468. 'ForceGuest',
  469. 0)
  470. @destructiveTest
  471. def test_set_computer_policy_DisableUXWUAccess(self):
  472. '''
  473. Tests changing DisableUXWUAccess
  474. #50079 shows using the 'Remove access to use all Windows Update features' failed
  475. Policy only exists on 2016
  476. '''
  477. valid_osreleases = ['2016Server']
  478. if self.osrelease not in valid_osreleases:
  479. self.skipTest('DisableUXWUAccess policy is only applicable if the osrelease grain is {0}'.format(' or '.join(valid_osreleases)))
  480. else:
  481. self._testComputerAdmxPolicy(r'DisableUXWUAccess',
  482. 'Enabled',
  483. [r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetDisableUXWUAccess[\s]*DWORD:1'])
  484. self._testComputerAdmxPolicy(r'Remove access to use all Windows Update features',
  485. 'Disabled',
  486. [r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetDisableUXWUAccess[\s]*DWORD:0'])
  487. self._testComputerAdmxPolicy(r'Windows Components\Windows Update\Remove access to use all Windows Update features',
  488. 'Not Configured',
  489. [r'; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED.'])
  490. @destructiveTest
  491. def test_set_computer_policy_Access_data_sources_across_domains(self):
  492. '''
  493. Tests that a policy that has multiple names
  494. '''
  495. self._testComputerAdmxPolicy(r'Access data sources across domains',
  496. 'Enabled',
  497. [],
  498. assert_true=False)
  499. self._testComputerAdmxPolicy(r'Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Access data sources across domains',
  500. {'Access data sources across domains': 'Prompt'},
  501. [r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3[\s]*1406[\s]*DWORD:1'])
  502. self._testComputerAdmxPolicy(r'Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Access data sources across domains',
  503. {'Access data sources across domains': 'Enable'},
  504. [r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3[\s]*1406[\s]*DWORD:0'])
  505. self._testComputerAdmxPolicy(r'Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Access data sources across domains',
  506. 'Disabled',
  507. [r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3[\s]*1406[\s]*DELETE'])
  508. @destructiveTest
  509. def test_set_computer_policy_ActiveHours(self):
  510. '''
  511. Test configuring the ActiveHours policy, #47784
  512. Only applies to 2016Server
  513. # activehours.sls
  514. active_hours_policy:
  515. lgpo.set:
  516. - computer_policy:
  517. 'ActiveHours':
  518. 'ActiveHoursStartTime': '8 AM'
  519. 'ActiveHoursEndTime': '7 PM'
  520. '''
  521. valid_osreleases = ['2016Server']
  522. if self.osrelease not in valid_osreleases:
  523. self.skipTest('ActiveHours policy is only applicable if the osrelease grain is {0}'.format(' or '.join(valid_osreleases)))
  524. else:
  525. self._testComputerAdmxPolicy(r'ActiveHours',
  526. {'ActiveHoursStartTime': '8 AM', 'ActiveHoursEndTime': '7 PM'},
  527. [
  528. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetActiveHours[\s]*DWORD:1',
  529. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursStart[\s]*DWORD:8',
  530. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursEnd[\s]*DWORD:19'
  531. ])
  532. self._testComputerAdmxPolicy(r'ActiveHours',
  533. {'ActiveHoursStartTime': '5 AM', 'ActiveHoursEndTime': '10 PM'},
  534. [
  535. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetActiveHours[\s]*DWORD:1',
  536. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursStart[\s]*DWORD:5',
  537. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursEnd[\s]*DWORD:22'
  538. ])
  539. self._testComputerAdmxPolicy('Turn off auto-restart for updates during active hours',
  540. 'Disabled',
  541. [
  542. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetActiveHours[\s]*DWORD:0',
  543. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursStart[\s]*DELETE',
  544. r'Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursEnd[\s]*DELETE'
  545. ])
  546. self._testComputerAdmxPolicy(r'Windows Components\Windows Update\Turn off auto-restart for updates during active hours',
  547. 'Not Configured',
  548. [r'; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED.'])
  549. def tearDown(self):
  550. '''
  551. tearDown method, runs after each test
  552. '''
  553. ret = self.run_function('state.single',
  554. ('file.absent', 'c:\\windows\\system32\\grouppolicy\\machine\\registry.pol'))
  555. ret = self.run_function('state.single',
  556. ('file.absent', 'c:\\windows\\system32\\grouppolicy\\user\\registry.pol'))