Advanced Auditing with PowerShell Desired State Configuration (DSC)
Greetings interweb. It’s been a while but I’m back with a new video finally.
This video focuses on Desired State Configuration Manager (DSC) and how to configure Advanced Auditing using DSC. You can certainly configure DSC using a group policy object (GPO). My use case for this is if you have a public facing web server that is in a DMZ outside the trusted side of your network. In that case, you probably don’t want that public facing Server on your domain but you also what to audit it and patch it and all of those other security processes you might run on any other server on the trusted side of the network.
For this exercise we will install DSC on a domain joined server (Pull Server) and configure that public facing server that’s in the DMZ to pull configuration from the Pull server.
Part 1: The Pull Server
All of this code is executed on the domain-joined Pull server.
Step 1: Install the required DSC modules, we need the 3 below. You can get all of them from powershellgallery.com
These 2 are for DSC itself
Install-Module -Name PSDscResources
Install-Module -Name xPSDesiredStateConfiguration
This module allows us to configure Advanced Auditing with DSC
Install-Module -Name AuditPolicyDsc
Step 2: You need a certificate on the Pull Server and any client that will connect to the pull server. This is the mechanism used to authenticate the client since it’s not in the domain.
In my case, I just installed certificate Services on my Pull Server. It’s literally the default installation, all you need is a Root CA. You could also manually create a certificate without installing certificate services but I found this more problematic than it was worth. Certificate services was the path of least resistance for me.
Step 3: Now we need to export the certificate so we can import it on the DSC client side. You’ll need to import the certificate on any non-domain DSC client.
Step 4: Now we can install Desired State Configuration Manager on the Pull Server. Almost all of this code is identical to what you will find on MSDN with a few modifications to match my naming scheme. See the video above for a more detailed explanation of what’s going on here.
Once the DSC installation is complete, check the web address for the Pull Server. It should be, https://
Step 5: Create the MOF files for the DSC client. This code is pretty much the same code as is in the example on the module github repo. https://github.com/PowerShell/AuditPolicyDsc.
Step 6: We need to package the MOFs and DSC resources and put them in the correct file structure on the Pull Server in order for the clients to pull what’s needed. The $MOFPath in this script is where you created the MOF files in the script above, you may need to change this if you used a different file location.
DSC Pull Server Mission complete!
Part 2: The DSC Client
Step 1: Configure the Local Configuration Manager on the client. Before you run the code below, it’s worth testing the connectivity to the Pull server website. In my case, this is my site to the Pull Server https://10.0.10.1:8080/PsDscPullserver.svc. I use the IP address for the Pull server because the client is not on the Domain so DNS is not going to work unless you add a manual entry in the Host file on the client.
Step 2: If you run Get-DscConfiguration and it comes back ok, the client should be properly registered with the Pull server.
Step 3: Now that the Pull server and the client are working, we need to figure out what the format for the CSV file is that we want to use to configure Advanced Auditing. See the video to understand how I figured out the format. My CSV is linked below.
Step 4: Once you have the CSV file complete and in the correct file location run the flowing to refresh the DSC config.
Force a DSC refresh
Start-DscConfiguration –UseExisting –Verbose –Wait
Run this to verify the Audit Policy is exactly the way you had it configured in the CSV.
Check the AuditPol config took
auditpol.exe /get /category:* /r | ConvertFrom-Csv | Select-Object -Property Subcategory*,*lusion*
Hope you enjoyed that tutorial… may the PowerShell force be with you all. 🙂