Published on 19 March 2014 by

The puppetlabs-registry module is fairly mature, having been first published back in early 2012. So why are we talking about it now? It is among the first batch of modules officially supported for use with Puppet Enterprise!

While Puppet Enterprise has always included some supported modules, we added full support for a new assortment of widely used modules in the Puppet Enterprise 3.2.0 release. It's the first wave of our ongoing supported module program, in which we’ll continue providing full Puppet Enterprise testing, integration and support for a growing library of Forge modules that help our customers get their work done.

The puppetlabs-registry module provides a set of types and providers that let you use Puppet to create and manage Windows Registry keys. Custom types for the management of keys and values are included, as well as a defined type that allows for the management of key/value pairs and automatic handling of parent keys. The module also includes another defined type that is specifically designed for managing services on a Windows system via the Registry keys that define them. In short, the module allows you to bring much more of your Windows configuration under one roof.

One example of how you might use this module is to lock down the Protected Mode feature of Adobe products, such as Acrobat Reader 11, to prevent end users from disabling this security feature. By default, Protected Mode sandboxing of PDF processing is enabled in this version, but may be freely disabled by the end user.

Screenshot of Protected Mode sandboxing

Adobe provides instructions for locking down this configuration option via a Registry entry in the Acrobat Application Security Guide. To do this using Puppet, we can use a resource like the following:

registry::value { 'Lock Acrobat Reader Protected Mode':
    value => 'bProtectedMode',
    key   => 'HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockdown',
    data  => '1',
    type  => 'dword',
  }

When this is applied on a Windows host we’ll see output like this during the run:

Using Puppet to lock down Protected Mode in Acrobat Reader

The presence of the new Registry key can be verified in the Registry Editor:

screenshot of new Windows registry key

Next time we launch Acrobat Reader, we can check out the preferences and see that the option to disable Protected Mode sandboxing is now greyed out, so end users cannot readily bypass this security feature.

Protected mode sandboxing cannot be disabled

Another use case for the registry module is the management of Windows service entries. A defined type, registry::service, is built into the module to easily create and manage the Registry keys you need. Let’s say you’ve created a wrapper for an application, and want it to be installed as a service that starts automatically at boot-up. A resource like the following can be used to get the service set up on Windows hosts:

  registry::service { 'ExampleApp':
    ensure       => present,
    display_name => 'ExampleApp',
    description  => 'ExampleApp service',
    command      => 'C:\Program Files (x86)\ExampleApp\service.bat',
    start        => 'automatic'
  }

When it’s applied during a run we’ll see output like this:

Applying a resource that sets up a service to start automatically on boot-up

Checking out the Registry, we can see that the requisite entries now exist:

Screenshot of Windows registry entries for new service

After a restart, our new service shows up under Services in the management console:

Screenshot of new service in Services management console frame

Those two examples show off a pair of common uses for the module, but that’s just scratching the surface. For additional examples and an exhaustive description of the module’s capabilities, check it out on the Puppet Forge: puppetlabs-registry

Ken Johnson works in technical operations at Puppet Labs.

Learn More

Share via:
Posted in:
Tagged:

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.