Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


windows-hardening (5) Versions 0.7.2

Hardening cookbook for Windows 2012 R2

cookbook 'windows-hardening', '= 0.7.2', :supermarket
cookbook 'windows-hardening', '= 0.7.2'
knife supermarket install windows-hardening
knife supermarket download windows-hardening
Quality 33%

windows-hardening (Chef Cookbook)

This cookbook provides recipes for ensuring that a Windows 2012 R2 system is compliant with the DevSec Windows Baseline.

Coding guidelines

Use Chef resources wherever possible. Lock files have been used for secedit.exe and auditpol commands. The registry_key resource has been used extensively.

Testing the cookbook


This cookbooks ships with a test-kitchen setup to verify that the implementation follows the DevSec Windows Baseline:

kitchen test

Chef Server and Chef Compliance

If you use Chef Server, you can bootstrap a node and run a Chef Compliance against them it. It is recommended to use an EC2 instance in a Chef environment, made up of a Chef Server and a Compliance Server. The following command can be used for bootstrapping a node.

knife ec2 server create --node-name windows-test --flavor t2.medium --image ami-29eb7e5a --security-group-ids sg-238e5744 --user-data win-userdata.ps1 --winrm-user Administrator --winrm-password Ch4ng3m3 --ssh-key emea-sa-shared -r 'recipe[base-win2012-hardening::enable_winrm_access]'

Please note the following:
* To bootstrap a Windows node using Knife you need a predictable password. The win-userdata.ps1 file, in this repo, provides this.
* You need a security group that allows winrm access and RDP access.
* We set a run-list. The enable_winrm_access recipe prepares the node for a manual Compliance scan.

Applying at scale

This cookbook is currently in development. It does not cover all requirements to provide a fully hardened Windows environment yet. Any contributions are welcome to improve the cookbook. If you wish to apply this at scale, use a role and add the cookbook to its runlist, there is no need to apply a specific recipe.

Contributors + Kudos


See [contributor guideline](

License and Author

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

Collaborator Number Metric

0.7.2 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Foodcritic Metric

0.7.2 failed this metric

FC033: Missing template: windows-hardening/recipes/02_account_lockout.rb:10
Run with Foodcritic Version 8.2.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

License Metric

0.7.2 passed this metric