About this project
PowerShell Desired State Configuration (DSC) resource library for Windows Server hardening — implementing CIS Benchmark controls, audit policy, and enterprise baseline configurations as declarative state.
Background
Windows Server hardening at enterprise scale requires that you can apply a consistent baseline to many servers and detect when they drift from it. Manual hardening scripts run once and can't detect drift; Group Policy is powerful but complex to version-control and audit. DSC gives you a declarative model: you describe the desired state, and the DSC engine enforces it continuously and reports on compliance.
The CIS Windows Server 2022 Benchmark has several hundred controls across multiple levels. I implemented the Level 1 and Level 2 controls that are applicable in an enterprise domain environment as DSC resources. Each resource is a self-contained unit that checks and enforces a specific configuration — password policy, account lockout thresholds, service states, audit policy settings, registry hardening. Pester tests validate that each resource correctly detects both compliant and non-compliant states.
The Azure Automation State Configuration integration is what makes this practical at fleet scale. Servers register with the Automation account as DSC nodes, pull their configuration on a schedule, and report compliance status back centrally. When a server drifts from the baseline — because someone made a manual change, a software installation modified a setting, or a policy isn't applying correctly — the compliance dashboard shows it immediately rather than at the next audit.
Highlights
- CIS Windows Server 2022 Benchmark Level 1 and Level 2 controls as DSC resources
- Audit policy configuration — success/failure tracking aligned to MITRE ATT&CK logging requirements
- Pester test suite validating configuration drift detection
- Azure Automation State Configuration integration for fleet compliance reporting
- Pull server mode with scheduled consistency checks and drift alerts