Request : RegistryPolicy include FileHash parameter

[bdanse]

From a security point of view, how do I know the file that is being imported is not modified.
A filehash check would be a nice addition to this great module.

For example run get-filehash against "c:\GPO\domainSysvol\GPO\Machine\registry.pol". And include the Hash result in the resource

`Configuration Sample_RegistryPolicy
{
param
(
[String] $NodeName = 'localhost'
)

Import-DscResource -ModuleName GPRegistryPolicy

Node $NodeName
{
    RegistryPolicy GPPolicy
    {
        Path = "c:\GPO\domainSysvol\GPO\Machine\registry.pol"
    FileHash = '9A7C892496CFAA5CF8CC2BDDCC255E15CEDF95997F87FF8913E5DB7EB17A006B'
    }
}

}`

[zjalexander]

👍 great question, and this might be a great addition to the resource. in the meantime, would you be able to use something like the File resource's Checksum to get a similar (but not exactly the same) effect?

File regPol
        {
            DestinationPath = "C:\Users\Administrator\Documents\registry.pol"
            SourcePath = "c:\GPO\domainSysvol\GPO\Machine\registry.pol"
            Checksum = "SHA-512"
        }
        RegistryPolicy baselineGpo
        {
            Path = "C:\Users\Administrator\Documents\registry.pol"
            DependsOn = "[File]regPol"
        }

I'm not entirely sure if I recommend grabbing it from Sysvol, but certainly you could keep the file somewhere where it's locked down by permissions. If the file is modified in transit, DSC will see the checksums don't match and signal an error. This also saves you from having to calculate the checksum by hand and update the configuration whenever your .pol changes.

[zjalexander]

I just noticed similar issues were opened in the other 2 resource repos we released today. I think the above suggest applies equally well to all of them so I'll direct discussion here if that's ok

[bdanse]

I just noticed similar issues were opened in the other 2 resource repos we released today. I think the above suggest applies equally well to all of them so I'll direct discussion here if that's ok

Sure, I wasn't sure the maintainers where the same so posted the request on all 3.

About distribution of the files I am not sure myself. But if I maintain the policy using regular tools it would reduce the steps.

Not thought of the file checksum. Thank you for the tip! And if we could prevent from administrating the checksum that would be great. As that would prevent an update of the configuration itself. You would need two versions to make the compare. And the source should be really secure.

[zjalexander]

And the source should be really secure.

You can use ACL's to prevent the Wrong People from editing the file. You can use the pull server's signing functionality to validate the configuration is coming from the right place and transmit the configuration over HTTPS. Then the DSC engine would run on its regular schedule and validate the configuration, the hash of the file, and ensure that the system is compliant with whatever is stored in that file.

This article on securing MOF files should get you through most of that process

Does that meet all of your needs?

[bdanse]

Sorry, with source I meant the .pol, .csv and .inf. These need to be in a trusted location. Since it will be used to compare the destination file on the receiving node.

[zjalexander]

Gotcha. I agree, they should all be secure. However I don't think DSC has a role in securing those things... Would it help if I updated the sample I originally published with the [File] change we discussed above and included some of these assumptions as a best-practice sort of thing?

[bdanse]

Yeah, I can work with this. An would greatly help to include this in the examples for others.

Case closed :) Thank you for the help.

[zjalexander]

no problem. right now i'm working with a few people to figure out the best way to write up and distribute sample configurations through the gallery and I was already planning for this scenario to be one of the first ones. I'll track it .... somewhere, and close this issue after I link to that other tracking item.