DSCResources/common/windows.AccessControl.ps1
|
# Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. $rules = Get-RuleClassData -StigData $StigData -Name PermissionRule Foreach ( $rule in $rules ) { # Determine PermissionRule type and handle Switch ($rule.dscresource) { 'RegistryAccessEntry' { RegistryAccessEntry (Get-ResourceTitle -Rule $rule) { Path = $rule.Path Force = [bool]$rule.Force AccessControlList = $( foreach ($acentry in $rule.AccessControlEntry.Entry) { AccessControlList { Principal = $acentry.Principal ForcePrincipal = [bool]$rule.ForcePrincipal AccessControlEntry = @( AccessControlEntry { AccessControlType = $( if (-not ([string]::IsNullOrEmpty($acentry.Type))) { $acentry.Type } else { 'Allow' } ) Inheritance = $( if (-not ([string]::IsNullOrEmpty($acentry.Inheritance))) { $acentry.Inheritance } else { 'This Key and Subkeys' } ) Rights = $acentry.Rights.Split(',') Ensure = 'Present' } ) } } ) } break } 'NTFSAccessEntry' { NTFSAccessEntry (Get-ResourceTitle -Rule $rule) { Path = $rule.Path Force = [bool]$rule.Force AccessControlList = $( foreach ($acentry in $rule.AccessControlEntry.Entry) { NTFSAccessControlList { Principal = $acentry.Principal ForcePrincipal = [bool]$rule.ForcePrincipal AccessControlEntry = @( NTFSAccessControlEntry { AccessControlType = $( if (-not ([string]::IsNullOrEmpty($acentry.Type))) { $acentry.Type } else { 'Allow' } ) Inheritance = $( if (-not ([string]::IsNullOrEmpty($acentry.Inheritance))) { $acentry.Inheritance } else { 'This folder only' } ) FileSystemRights = $acentry.Rights.Split(',') Ensure = 'Present' } ) } } ) } break } } } |